CVE-2021-32795

Exploit

EPSS 1.72%
Veröffentlicht 26.07.2021 20:15:08
Zuletzt bearbeitet 21.11.2024 06:07:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Denial of Service via Steam chat in ArchiSteamFarm

ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. In versions prior to 4.3.1.0 a Denial of Service (aka DoS) vulnerability which allows attacker to remotely crash running ASF instance through sending a specifically-crafted Steam chat message exists. The user sending the message does not need to be authorized within the bot or ASF process. The attacker needs to know ASF's `CommandPrefix` in advance, but majority of ASF setups run with an unchanged default value. This attack does not allow attacker to gain any potentially-sensitive information, such as logins or passwords, does not allow to execute arbitrary commands and otherwise exploit the crash further. The issue is patched in ASF V4.3.1.0. The only workaround which guarantees complete protection is running all bots with `OnlineStatus` of `0` (Offline). In this setup, ASF is able to ignore even the specifically-crafted message without attempting to interpret it.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Archisteamfarm Project ≫ Archisteamfarm Version < 4.3.1.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.72%	0.745

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:N/A:P
security-advisories@github.com	6.5	2.2	4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/JustArchiNET/ArchiSteamFarm/commit/4cd581ec041912cf199c5512fe6d1dcaec0594c0

Patch

Third Party Advisory

https://github.com/JustArchiNET/ArchiSteamFarm/security/advisories/GHSA-5v34-4prm-9474

Third Party Advisory

Exploit

https://steamcommunity.com/groups/archiasf/discussions/1/2935742047969570844/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-32795

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-32795

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-32795

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-32795