Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Mon Mar 26 10:23:07 UTC 2012

On 26/03/12 06:35, Florian Weimer wrote:
> Please set the distribution to squeeze-security, adjust the version
> number, build with -sa, and upload to security-master.

Uploaded, thanks. If you obtain a CVE number for this, please make sure
any advisory prominently mentions ioquake3 r1762 and/or this bug number.

Tremulous (contrib) seems to be vulnerable to the same thing... I'll
open a bug.

Here's some text for a general advisory, and some shorter text suitable
for a DSA:

--------------

It has been discovered that spoofed "getstatus" UDP requests are being
used by attackers[0][1][2][3] to direct status responses from multiple
Quake 3-based servers to a victim, as a traffic amplification mechanism
for a denial of service attack on that victim.

Open-source games derived from the Quake 3 engine are typically based on
ioquake3 [4], a popular fork of that engine. This vulnerability was
fixed in ioquake3 svn revision 1762 (January 2010) [5] by applying a
rate-limit to the getstatus request. Like several other known and fixed
vulnerabilities, it is not fixed in the latest official ioquake3 release
(1.36, April 2009).

If a CVE ID is allocated for this vulnerability, please reference
ioquake3 r1762 prominently in any advisory.

Fixed versions of various open-source games based on Quake III Arena,
mostly based on visual inspection of their source code:

* ioquake3 svn >= r1762
* OpenArena >= 0.8.8
* OpenArena engine snapshot >= 0.8.x-20
* World of Padman >= 1.5.4
* Tremulous svn trunk >= r1953
* Tremulous svn, gpp branch >= r1955
* Smokin' Guns >= 1.1b4
* Smokin' Guns svn 1.1 branch >= r472

Vulnerable older versions include:

* ioquake3 engine 1.36
* OpenArena 0.8.5
* World of Padman 1.5
* Tremulous 1.1.0
* Tremulous Gameplay Preview 1 (GPP1)
* Smokin' Guns svn trunk at the time of writing (r181)

Proprietary games based on the Quake III Arena engine (Quake III Arena
when played using its official engine, Star Wars: Jedi Outcast and Jedi
Academy, Star Trek: Elite Force 1 & 2, etc.) are also likely to be
vulnerable.

Proprietary games being run under the ioquake3 engine (Quake III Arena
when using ioquake3, Urban Terror when using ioUrbanTerror, etc.) may be
vulnerable or not vulnerable, depending on the version of ioquake3 used.

[0]
http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
[1] http://openarena.ws/board/index.php?topic=4391.0
[2] http://www.urbanterror.info/forums/topic/27825-drdos/
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656
[4] http://ioquake3.org/
[5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html

-----------

It has been discovered that spoofed "getstatus" UDP requests are used by
attackers to direct status responses from multiple Quake 3-based servers
(such as OpenArena) to a victim, as a traffic amplification mechanism
for a denial of service attack on that victim.

For the stable distribution (squeeze), this problem has been fixed in
version 0.8.5-5+squeeze2.

For the testing and unstable distributions (wheezy/sid), this problem is
fixed in all released versions of the ioquake3 package, which are used
by version 0.8.5-6 or later of the openarena package.