CVE: Remote denial-of-service fixed in 0.6.5

[apoleon]

Hi,

apparently version 0.6.5 and version 0.7.0 fix a remote denial-of-service vulnerability in Teeworlds. Did you request a CVE for this security issue? It appears that all versions prior 0.6.5 are affected. Is this correct?

Are these the fixing commits?

4c00063
439483c

[heinrich5991]

No CVE was requested as far as I know.

The fixing commits for 0.6 are:

a263185
aababc6
f5fa1a9

(not the ones you specified) plus some dependencies (md5 support).

The vulnerability is the following: Since there was no challenge-response involved in the connection build up, you could send the connection packets from a spoofed IP address and occupy a server slot or even use it for a reflection attack using map download packets.

The reflection problem still exists in 0.6.5 for the server info packets. I don't know about the state of the server info packets in 0.7.0, but I think a 1:1 reflection is still possible.

[apoleon]

Thank you for your clarification. I have just requested a CVE id for this issue. I will update this bug report as soon as I receive more information. FTR, this is also Debian bug https://bugs.debian.org/911487

[apoleon]

This issue was assigned CVE-2018-18541.

[heinrich5991]

Thanks for requesting a CVE.

Are there guidelines for when to request one? How does one go about requesting a CVE?

[apoleon]

It is usually up to you or everyone else to decide whether a specific programming error can be deemed a security vulnerability. You can request a CVE at https://cveform.mitre.org/. As a rule of thumb I would always request a CVE when you think that a bug might affect the integrity of a user's system (arbitrary file write, buffer overflows, reading unrelated memory that should never be read, bypassing access controls, etc.), deceiving a user (e.g. XSS attacks) or making a system/application unusable (denial-of-service) like in this case. This question has also been answered here: https://cve.mitre.org/about/faqs.html#what_is_vulnerability.

I only noticed this bug because my own server was attacked only a week ago. It could be mitigated by changing the server port of teeworlds but obviously this wasn't a real solution. The requested CVE id makes sure that all major vendors and distributors will know about this issue. Most of them will now upgrade to your latest upstream release but some might prefer to backport the fixing commits. In any case this raises awareness and will ensure that this issue will be fixed more quickly.

Thanks for providing the links to your fixing commits. I believe this bug report can be closed now. It will then just serve as a reference for others.