Re: CVE-2010 Request: quake3 / openarena-server: DDoS by processing 'getstatus' and 'rcon' packets

[Kurt Seifried <kseifried () redhat com>]

On 03/26/2012 07:09 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
>   yet in 2010 the following problem has been corrected in Quake3 /
> OpenArena:
>
>   A distributed denial of service flaw was found in the way Quake3 Arena /
> OpenArena servers used to handle 'getstatus' and 'rcon' (remote command)
> connectionless requests. A remote attacker could use this flaw to perform
> distributed denial of service attack against the target server IP
> gameserver by
> spoofing certain packets.
>
> References:
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656
> [2] http://openarena.ws/board/index.php?topic=4391.0
> [3] http://www.ioquake.org/forums/viewtopic.php?f=12&t=1694
> [4] http://www.urbanterror.info/forums/topic/27825-drdos/
> [5]
> http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
>
> [6] https://bugzilla.redhat.com/show_bug.cgi?id=806898
>
> Relevant upstream patch:
> [7] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html
>
> Could you allocate a CVE-2010-* CVE identifier for this issue?
>
> Thank you && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> P.S.: There doesn't seem to be a CVE identifier for this issue yet:
>       http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=quake3
>
>       mentions various Quake3 related security flaws, but doesn't
>       this concrete issue yet.

Please use CVE-2010-5077 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)