Vulnerability Details : CVE-2017-6903
In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.
Products affected by CVE-2017-6903
- cpe:2.3:a:ioquake3:ioquake3:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-6903
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-6903
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
References for CVE-2017-6903
-
https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998
All: Merge some file writing extension checks · iortcw/iortcw@11a8341 · GitHubIssue Tracking;Patch
-
https://github.com/JACoders/OpenJK/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7
Shared: Merge ioquake/ioq3@376267d534476a875d8b9228149c4ee18b74a4fd · JACoders/OpenJK@8956a35 · GitHubIssue Tracking;Patch
-
https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372
Merge some file writing extension checks from OpenJK. · ioquake/ioq3@b173ac0 · GitHubIssue Tracking;Patch
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699
#857699 - ioquake3: CVE-2017-6903: privilege escalation by auto-downloaded files - Debian Bug report logsThird Party Advisory
-
https://github.com/iortcw/iortcw/commit/b248763e4878ef12d5835ece6600be8334f67da1
All: Don't open .pk3 files as OpenAL drivers · iortcw/iortcw@b248763 · GitHubIssue Tracking;Patch
-
https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d
Don't open .pk3 files as OpenAL drivers. · ioquake/ioq3@f61fe5f · GitHubIssue Tracking;Patch
-
http://www.debian.org/security/2017/dsa-3812
Debian -- Security Information -- DSA-3812-1 ioquake3
-
https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
Don't load .pk3s as .dlls, and don't load user config files from .pk3s. · ioquake/ioq3@376267d · GitHubIssue Tracking;Patch
-
https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
Important Security Update: Please Update ioquake3 Immediately – ioquake3Vendor Advisory
-
https://github.com/iortcw/iortcw/commit/b6ff2bcb1e4e6976d61e316175c6d7c99860fe20
All: Don't load .pk3s as .dlls, and don't load user config files from… · iortcw/iortcw@b6ff2bc · GitHubIssue Tracking;Patch
Jump to