Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE-2010 Request: quake3 / openarena-server: DDoS by processing 'getstatus' and 'rcon' packets
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 26 Mar 2012 15:09:01 +0200

Hello Kurt, Steve, vendors,

  yet in 2010 the following problem has been corrected in Quake3 / OpenArena:

  A distributed denial of service flaw was found in the way Quake3 Arena /
OpenArena servers used to handle 'getstatus' and 'rcon' (remote command)
connectionless requests. A remote attacker could use this flaw to perform
distributed denial of service attack against the target server IP gameserver by
spoofing certain packets.

References:
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656
[2] http://openarena.ws/board/index.php?topic=4391.0
[3] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694
[4] http://www.urbanterror.info/forums/topic/27825-drdos/
[5] http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
[6] https://bugzilla.redhat.com/show_bug.cgi?id=806898

Relevant upstream patch:
[7] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html

Could you allocate a CVE-2010-* CVE identifier for this issue?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: There doesn't seem to be a CVE identifier for this issue yet:
      http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=quake3

      mentions various Quake3 related security flaws, but doesn't
      this concrete issue yet.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]