Bug#665842: Bug#665656: openarena-server: is vulnerable for getstatus DRDoS attack

Simon McVittie smcv at debian.org
Mon Mar 26 19:48:05 UTC 2012


retitle 665656 openarena-server: [CVE-2010-5077] traffic amplification
via getstatus requests
retitle 665842 tremulous: [CVE-2010-5077] traffic amplification via
getstatus requests
thanks

On 26/03/12 11:23, Simon McVittie wrote:
> It has been discovered that spoofed "getstatus" UDP requests are being
> used by attackers[0][1][2][3] to direct status responses from multiple
> Quake 3-based servers to a victim, as a traffic amplification mechanism
> for a denial of service attack on that victim.
> 
> Open-source games derived from the Quake 3 engine are typically based on
> ioquake3 [4], a popular fork of that engine. This vulnerability was
> fixed in ioquake3 svn revision 1762 (January 2010) [5] by applying a
> rate-limit to the getstatus request. Like several other known and fixed
> vulnerabilities, it is not fixed in the latest official ioquake3 release
> (1.36, April 2009).
> 
> If a CVE ID is allocated for this vulnerability, please reference
> ioquake3 r1762 prominently in any advisory.

CVE-2010-5077 has now been allocated for this.






More information about the Pkg-games-devel mailing list