UPDATE: Around two weeks ago it emerged Valve had let a critical security flaw in Steam go unchecked despite repeated warnings from a security researcher. The day-zero security flaw was then published, leaving Steam users open to potentially nefarious attacks.
Valve has now issued a statement admitting it was wrong to turn away the researcher who spotted the security flaw, confirming it has now altered how it classifies Steam security reports in bug bounty program HackerOne. As a result, any case which arises which may allow malware in Steam to escalate privileges is now included in the scope of Steam Client Service reports.
"The researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake," reads Valve's statement.
"Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.
"We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported. In the past two years, we have collaborated with and rewarded 263 security researchers in the community helping us identify and correct roughly 500 security issues, paying out over $675,000 in bounties. We look forward to continuing to work with the security community to improve the security of our products through the HackerOne program.
"In regards to the specific researchers, we are reviewing the details of each situation to determine the appropriate actions. We aren’t going to discuss the details of each situation or the status of their accounts at this time."
Original Story: 08-Aug-2019 - Severe zero-day security flaw discovered in Steam
A severe security vulnerability has been discovered in Valve’s Steam software. A researcher by the name of Vasily Kravets has published a zero-day security vulnerability for the Windows version of Steam having had his vulnerability report rejected by Valve Software.
A zero-day vulnerability is a security flaw which is known to a software provider but they have not implemented a security fix in time for the flaw to become public. Any zero-day vulnerability has huge potential to be exploited by hackers due to it being public knowledge.
Okay, so there’s a severe security flaw with Steam, Valve knows about it, and this vulnerability hasn’t been patched. Everyone now knows how this security flaw can be exploited.
Kravets has explained his discovery in-depth over here but, in a nutshell, it relates to the ‘Steam Client Service’ process. This is installed alongside any Steam installation and is used for Valve’s own internal purposes.
The service sets permissions on various registry keys on startup, each of which are subkeys of “HKLM\Software\Wow6432Node\Valve\Steam\Apps”. Steam Client Service also adds security descriptions for each. Kravets then tried injecting his own test keys and linking them to Steam’s service, discovering he could achieve full read and write access to the key for all users.
From this stage, a cyberattacker can already begin to take control of a system. They’ve got a key in the registry and can begin an Escalation of Privileges. Once achieved, they can then run any program with full rights access.
The end result is this process can be exploited by either malicious software or someone with either local or remote access, allow them to escalate their privileges to system-wide admin access. This then means near-total control of a system.
What’s particularly worrying here is Kravets passed this one to HackerOne for review, who then passed it on to Valve, who then marked it as “not applicable”. After a bit of back and forth, he’s waited 45 days and has now publicly disclosed the vulnerability in the hope Steam devs will make the appropriate security changes.
The flaw was rejected by HackerOne and Valve because these are"Attacks that require the ability to drop files in arbitrary locations on the user's filesystem" and "attacks that require physical access to the user's device".
As it currently stands though, this security flaw is wide open and Valve has yet to address the issue. “They didn't want me to disclose the vulnerability”, explains Kravets. “At the same time, there was not even a single word from Valve. No, guys, that's not how it works. You didn’t respect my work, and that's the reason why I won’t respect yours — I see no reason why I shouldn't publish this report. Most likely I’ll be banned at H1 because of it, but it won't make me upset.”