Description
CC: Tweaked is a mod for Minecraft which adds programmable computers, turtles, and more to the game. Prior to versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3, if the cc-tweaked plugin is running on a Minecraft server hosted on a popular cloud hosting providers, like AWS, GCP, and Azure, those metadata services API endpoints are not forbidden (aka "blacklisted") by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. Versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3 contain a fix for this issue.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2023-41180
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Description: The vulnerability affects the CC: Tweaked mod for Minecraft, which introduces programmable computers and other features to the game. Prior to specific versions, the mod does not blacklist metadata services API endpoints by default when running on popular cloud hosting providers like AWS, GCP, and Azure. This oversight allows any player to access sensitive information exposed via these metadata servers, potentially leading to privilege escalation or pivoting into the hosting provider's infrastructure.
Severity Evaluation:
The vulnerability has a CVSS Base Score of 9.6, which is considered critical. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N indicates:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): None (N)
This high severity score underscores the critical nature of the vulnerability, particularly due to the potential for unauthorized access to sensitive information and the ease of exploitation.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Network-Based Attacks: An attacker can exploit this vulnerability over the network without requiring physical access to the system.
- Metadata Service Access: By accessing the metadata services API endpoints, an attacker can retrieve sensitive information such as instance IDs, security credentials, and other metadata.
Exploitation Methods:
- Information Gathering: An attacker can query the metadata services to gather information about the cloud environment, which can be used for further attacks.
- Privilege Escalation: With the gathered information, an attacker can attempt to escalate privileges within the cloud environment, potentially gaining unauthorized access to other resources.
- Pivoting: The attacker can use the information to pivot to other systems within the cloud infrastructure, expanding the scope of the attack.
3. Affected Systems and Software Versions
Affected Versions:
- CC: Tweaked versions prior to 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3.
Affected Systems:
- Minecraft servers running the CC: Tweaked mod on popular cloud hosting providers such as AWS, GCP, and Azure.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Update to Patched Versions: Upgrade to the patched versions of CC: Tweaked (1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3) to address the vulnerability.
- Restrict Metadata Access: Implement network security controls to restrict access to metadata services API endpoints.
- Monitoring and Logging: Enable logging and monitoring to detect any unauthorized access attempts to metadata services.
Long-Term Mitigation:
- Regular Security Audits: Conduct regular security audits of mods and plugins used in Minecraft servers.
- Cloud Security Best Practices: Follow cloud security best practices, including the use of IAM roles and policies to restrict access to metadata services.
5. Impact on European Cybersecurity Landscape
Impact Assessment:
- Data Breaches: The vulnerability can lead to data breaches, exposing sensitive information stored in cloud environments.
- Compliance Risks: Organizations may face compliance risks related to data protection regulations such as GDPR if sensitive data is compromised.
- Reputation Damage: Successful exploitation can result in reputational damage for organizations hosting Minecraft servers.
Regulatory Considerations:
- GDPR Compliance: Organizations must ensure that they comply with GDPR requirements for data protection and breach reporting.
- Incident Response: Develop and maintain an incident response plan to quickly address and mitigate any security incidents.
6. Technical Details for Security Professionals
Vulnerability Details:
- Root Cause: The root cause is the lack of blacklisting for metadata services API endpoints in the CC: Tweaked mod.
- Fix Implementation: The fix involves updating the AddressPredicate.java file to include blacklisting for metadata services API endpoints.
References:
- GitHub Advisories:
- Issue Tracking:
- Code Fix:
Conclusion: The vulnerability in CC: Tweaked highlights the importance of securing cloud environments and ensuring that all plugins and mods are regularly updated and audited for security issues. Organizations should prioritize updating to the patched versions and implementing robust security controls to mitigate the risk of exploitation.