oss-sec mailing list archives
Re: CVE-2010 Request: quake3 / openarena-server: DDoS by processing 'getstatus' and 'rcon' packets
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 26 Mar 2012 12:48:56 -0600
On 03/26/2012 07:09 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, yet in 2010 the following problem has been corrected in Quake3 / OpenArena: A distributed denial of service flaw was found in the way Quake3 Arena / OpenArena servers used to handle 'getstatus' and 'rcon' (remote command) connectionless requests. A remote attacker could use this flaw to perform distributed denial of service attack against the target server IP gameserver by spoofing certain packets. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656 [2] http://openarena.ws/board/index.php?topic=4391.0 [3] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694 [4] http://www.urbanterror.info/forums/topic/27825-drdos/ [5] http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html [6] https://bugzilla.redhat.com/show_bug.cgi?id=806898 Relevant upstream patch: [7] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html Could you allocate a CVE-2010-* CVE identifier for this issue? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: There doesn't seem to be a CVE identifier for this issue yet: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=quake3 mentions various Quake3 related security flaws, but doesn't this concrete issue yet.
Please use CVE-2010-5077 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Current thread:
- CVE-2010 Request: quake3 / openarena-server: DDoS by processing 'getstatus' and 'rcon' packets Jan Lieskovsky (Mar 26)
- Re: CVE-2010 Request: quake3 / openarena-server: DDoS by processing 'getstatus' and 'rcon' packets Kurt Seifried (Mar 26)