![]() "However, we can say that we take issues of both responsiveness and disclosure seriously and will work closely with our partners at Valve to address this situation.” Game changer “It’s our policy not to comment on customer programs without their consent," HackerObe said. in response to questions from The Daily Swig, HackerOne offered the following comment. No word back as yet, but we’ll update this story as and when more information comes to hand. The Daily Swig contacted Valve’s PR team for comment via a form on the gaming publisher’s website. And Valve, they rely on security through obscurity,” Pham said. “The reason why Valve delayed their response for a long time, I think because of policy allows vendors to hold the report indefinitely. ![]() The researcher – who added he was “pretty sure” the flaw was different from that discovered by Florian – said there was no evidence of any exploitation of the vulnerability, but nonetheless criticised Valve for its apparent inaction. Read more of the latest gaming security news In response to follow-up questions from The Daily Swig, Pham confirmed the second flaw remained unresolved but declined to go into details, beyond describing it as a “logic bug”. “RCE can be achieved by connecting to a malicious server, then the chain will be completed when game is restarted,” Singapore-based Pham said on a message on Twitter. This, too, he says, has been “ignored by Valve for a year”. Separately this week, another security researcher, Bien Pham, voiced his concerns that a flaw he reported in Steam also poses a remote code execution risk. “Valve Steam through, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click,” the entry states. “This has yet to be patched, and Valve is preventing us from publicly disclosing it.”Ī tracker for the issue – CVE-2021-30481 – was been added to NIST’s National Vulnerability database on Monday (April 12). ![]() “It can be triggered through a Steam invite,” the group added. ![]() RECOMMENDED Capcom ransomware attack: Hackers gained access via vulnerable VPN Secret Club aired its frustration in a Twitter update over the weekend: “Two years ago, Secret Club member reported a remote code execution (RCE) flaw affecting all source engine games. UPDATED Pressure is growing on games publisher Valve after two sets of security researchers came forward with complaints that it has been slow at resolving security flaws in its popular Steam platform.Ī seemingly critical Steam source engine vulnerability discovered by ‘ Florian’, a member of reverse engineering group Secret Club, and dating from 2019 is said to remain unresolved – much to the consternation of the individual involved and his security research colleagues.įlorian reported the flaw to Valve through a bug bounty program run by HackerOne, but despite multiple attempts to chase the issue no action has been taken, even though the security flaw was “verified/triaged after a couple of months”, according to the bug hunter. ![]() Two-year-old RCE flaws still unpatched, bounty hunters claim ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |