Description
OpenComputers is a Minecraft mod that adds programmable computers and robots to the game. This issue affects every version of OpenComputers with the Internet Card feature enabled; that is, OpenComputers 1.2.0 until 1.8.3 in their most common, default configurations. If the OpenComputers mod is installed as part of a Minecraft server hosted on a popular cloud hosting provider, such as AWS, GCP and Azure, those metadata services' API endpoints are not forbidden (aka "blacklisted") by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. In addition, IPv6 addresses are not correctly filtered at all, allowing broader access into the local IPv6 network. This can allow a player on a server using an OpenComputers computer to access parts of the private IPv4 address space, as well as the whole IPv6 address space, in order to retrieve sensitive information. OpenComputers v1.8.3 for Minecraft 1.7.10 and 1.12.2 contains a patch for this issue. Some workarounds are also available. One may disable the Internet Card feature completely. If using OpenComputers 1.3.0 or above, using the allow list (`opencomputers.internet.whitelist` option) will prohibit connections to any IP addresses and/or domains not listed; or one may add entries to the block list (`opencomputers.internet.blacklist` option). More information about mitigations is available in the GitHub Security Advisory.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2023-41179
1. Vulnerability Assessment and Severity Evaluation
The vulnerability described in EUVD-2023-41179 affects the OpenComputers mod for Minecraft, specifically versions 1.2.0 through 1.8.3. The issue arises from the Internet Card feature, which does not properly restrict access to metadata services' API endpoints on popular cloud hosting providers like AWS, GCP, and Azure. Additionally, IPv6 addresses are not correctly filtered, allowing broader access to the local IPv6 network.
Severity Evaluation:
- CVSS Base Score: 9.6
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
The high base score indicates a critical vulnerability due to the potential for unauthorized access to sensitive information and the ability to pivot or escalate privileges within the hosting provider's infrastructure.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Metadata Service Access: An attacker can exploit the vulnerability by using the Internet Card feature to access metadata services' API endpoints, which are not blacklisted by default. This can expose sensitive information such as instance IDs, security credentials, and other metadata.
- IPv6 Network Access: The lack of proper IPv6 filtering allows attackers to access parts of the private IPv4 address space and the entire IPv6 address space, potentially retrieving sensitive information from the local network.
Exploitation Methods:
- Metadata Service Exploitation: An attacker can send crafted requests to the metadata service endpoints to retrieve sensitive information.
- Network Scanning: By exploiting the IPv6 filtering issue, an attacker can scan the local network for vulnerable devices and services.
3. Affected Systems and Software Versions
Affected Software:
- OpenComputers mod for Minecraft versions 1.2.0 through 1.8.3
Affected Systems:
- Minecraft servers hosted on popular cloud providers (AWS, GCP, Azure) with the OpenComputers mod installed and the Internet Card feature enabled.
4. Recommended Mitigation Strategies
Immediate Mitigations:
- Disable Internet Card Feature: Completely disable the Internet Card feature to prevent unauthorized access.
- Use Allow List: For OpenComputers versions 1.3.0 and above, configure the allow list (
opencomputers.internet.whitelistoption) to restrict connections to specific IP addresses and domains. - Use Block List: Add entries to the block list (
opencomputers.internet.blacklistoption) to prohibit connections to known metadata service endpoints.
Long-Term Mitigations:
- Update to Patched Version: Upgrade to OpenComputers v1.8.3 for Minecraft 1.7.10 and 1.12.2, which contains a patch for this issue.
- Regular Security Audits: Conduct regular security audits and vulnerability assessments on Minecraft servers and associated mods.
5. Impact on European Cybersecurity Landscape
The vulnerability poses a significant risk to European organizations and individuals using Minecraft servers with the OpenComputers mod, especially those hosted on cloud providers. The potential for privilege escalation and unauthorized access to sensitive information can lead to data breaches, financial loss, and reputational damage. This underscores the importance of regular security updates and proactive vulnerability management in the European cybersecurity landscape.
6. Technical Details for Security Professionals
Vulnerability Details:
- Metadata Service Access: The Internet Card feature does not blacklist metadata service endpoints by default, allowing any player to access sensitive information.
- IPv6 Filtering Issue: IPv6 addresses are not correctly filtered, enabling broader access to the local IPv6 network and potentially exposing sensitive information.
Mitigation Configuration:
- Allow List Configuration:
opencomputers.internet.whitelist = ["allowed_ip_address", "allowed_domain"] - Block List Configuration:
opencomputers.internet.blacklist = ["metadata_service_endpoint"]
References:
By addressing this vulnerability promptly and implementing the recommended mitigations, organizations can significantly reduce the risk of exploitation and protect their sensitive information.