Recently, a researcher publicly disclosed a zero-day vulnerability in Steam that affected millions of users. He had to publicly disclosed this LPE flaw after facing non-cooperation on his bug report from Valve. However, after disclosure, Valve silently fixed the bug in its beta Steam Client. However, the researcher came up with another vulnerability report that he couldn’t report as he faced a ban on his previous report. Consequently, he ended up disclosing both Steam zero-days publicly. Nonetheless, it seems Valve has now realized its mistake.
Second Steam Zero-Day Flaw Disclosed
Following the first LPE flaw (CVE-2019-14743), the researcher Vasily Kravets aka Felix came up with another zero-day. Explaining his findings in a detailed blog post, Felix revealed about another local privilege escalation (CVE-2019-15316) that could result in ‘disastrous consequences’. As mentioned in the blog about the consequences,
disabling firewall and antivirus, rootkit installation, concealing of process-miner, theft any PC user’s private data — is just a small portion of what could be done.
Felix had to publicly disclose this vulnerability as Valve had banned him on the HackerOne bug bounty program.
Valve banned me on their H1 program.
I release new #ZeroDay #PublicDisclosure EoP vulnerability at Steam.
Rus – https://t.co/jAoq5kCTfF
Eng – https://t.co/FfGXltXmpX
— Felix aka [xi-tauw] (@PsiDragon) August 20, 2019
Meanwhile, another researcher Xiaoyin Liu also figured out a way to bypass (CVE-2019-15315) the patch for the first LPE.
I found a way to bypass the fix. The bypass requires dropping a file in a nonadmin-writable location, so I think it's out-of-scope for Valve. Write-up: https://t.co/Lalum8LTvY cc @PsiDragon @enigma0x3 @steam_games #infosec #steam #bugbounty https://t.co/qIylEG7u2L
— Xiaoyin Liu (@general_nfs) August 15, 2019
Valve’s Response To Both Steam Zero-Days
After public disclosure of the second vulnerability as well, Valve released a fix in its Steam Beta Client. It is evident from the word ‘vulnerabilities’ in its announcement that Valve now has addressed both Steam zero-days.
In addition, the entire Steam fiasco has eventually compelled Valve to admit their mishandling of the issue. According to their statement shared with Bleeping Computer, Valve admits that turning away the bugs was a ‘mistake’.
We are aware of the recent reports of two zero day local privilege escalation bugs related to the Steam Client… We are also aware that the researcher who discovered the bugs was incorrectly turned away through our HackerOne bug bounty program, where his report was classified as out of scope. This was a mistake.
Also, they have updated their HackerOne program rules.
Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user’s machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.
We have updated our HackerOne program rules to explicitly state that these issues are in scope and should be reported.”
Though, things seem to have resolved to a greater extent. Yet, it still remains unclear if Felix would receive any compensation and unbanning at H1 or not.
Let us know your thoughts in the comments.