Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE-2010 Request: quake3 / openarena-server: DDoS by processing 'getstatus' and 'rcon' packets
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 26 Mar 2012 12:48:56 -0600

On 03/26/2012 07:09 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

  yet in 2010 the following problem has been corrected in Quake3 /

  A distributed denial of service flaw was found in the way Quake3 Arena /
OpenArena servers used to handle 'getstatus' and 'rcon' (remote command)
connectionless requests. A remote attacker could use this flaw to perform
distributed denial of service attack against the target server IP
gameserver by
spoofing certain packets.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656
[2] http://openarena.ws/board/index.php?topic=4391.0
[3] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694
[4] http://www.urbanterror.info/forums/topic/27825-drdos/

[6] https://bugzilla.redhat.com/show_bug.cgi?id=806898

Relevant upstream patch:
[7] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html

Could you allocate a CVE-2010-* CVE identifier for this issue?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: There doesn't seem to be a CVE identifier for this issue yet:

      mentions various Quake3 related security flaws, but doesn't
      this concrete issue yet.

Please use CVE-2010-5077 for this issue.

Kurt Seifried Red Hat Security Response Team (SRT)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]