Mods make games more fun, but occasionally, we get a reminder that the gaming industry is booming and remains a big target for gate-crashers and bad actors. A new vulnerability named “BleedingPipe” is causing Minecrafters to sit up and take notice. BleedingPipe enables complete remote code execution on mod game servers and the clients inhabiting the servers. It can give cybercriminals access to a victim’s device and allow them to run malicious code or plant malware via remote commands.
BleedingPipe impacts several popular Minecraft mods. It’s active in the wild, so it poses a significant threat to Minecraft server administrators and the ordinary Minecraft players on their servers.
But why do the BleedingPipe Vulnerability attack mods, what are sandbox games, and is it even safe to keep playing Minecraft?
What is the BleedingPipe Vulnerability?
BleedingPipe is a Remote Code Execution (RCE) vulnerability. The vulnerability lies not in Forge, but some popular mods using an unsafe deserialization code. According to the Minecraft Malware Prevention Alliance (MMPA), it’s not just a theoretical threat – there have been examples where a bad actor has exploited it in the wild. It has affected certain Minecraft mods running on versions 1.7.10 and 1.12.2 of Forge.
Mods like EnderCore, LogisticsPipes, and BDLib (which have already been fixed for the GT New Horizons versions), as well as Smart Moving 1.12, Brazier, Gadomancy, and DankNull, are known to be affected.
However, other versions of Minecraft could also be vulnerable if you’re running an affected mod.
Why are attackers focusing on mods for this attack?
Sandbox games allow players to create, modify, and explore a virtual world more freely than games with a progression-style environment. Some popular sandbox games include Minecraft and Grand Theft Auto Online.
Mods (modifications) are user-created tweaks or additions to a game that can be used to introduce new levels, characters, landscapes, or items. Anyone can create mods, which are often shared on servers within the gaming community for others to download and use. Minecraft modding is very popular, and many servers worldwide offer various custom world states for their fans.
However, many of these servers have been set up in a way that makes them susceptible to this new vulnerability. Attackers take over game servers to infect as many devices as possible. In a nutshell, the attackers send specially formulated network packets to vulnerable Minecraft mod servers in an attempt to take over the servers, which in turn will allow them to take over the client’s devices as well.
What does BleedingPipe do?
It may bring a tiny sigh of relief that the BleedingPipe vulnerability is based on a relatively well-known attack in the Java Community. So, even though it is being actively exploited, Java developers are well-positioned to prepare a fix.
It relies on an already well-known issue with ObjectInputStream deserialization. This type of attack is generally known as a deserialization attack (gadget chain). Mods that use ObjectInputStream (OIS) for their networking code may be affected because it allows transfers of packets that contain malicious serialization.
It’s a very serious flaw that could allow an attacker to drop and run a payload on the server, which can infect all the clients. The compromised servers act as the first link in a chain, with the next step being attacks on the players who inhabit the compromised servers.
What is the effect on Minecraft players?
The scale of the attack took everyone by surprise. According to the MMPA article referenced earlier, someone already scanned all Minecraft servers on the IPv4 address space, and they suspect that a malicious payload might have been deployed onto affected servers. They aren’t sure what the contents of the exploit were or if it was used to exploit the other clients on the affected servers, but they believe it to be possible.
Calls have been made for mod developers who use ObjectInputStream to immediately switch to a different, safer serializer or create their own serializers.
However, the MMPA believes the danger may persist even after the flaw is patched. They know several servers have been affected but don’t know what payload may have been dropped.
Can you play Minecraft safely right now?
If you’re using any mods for Minecraft, you should stop and inspect the versions of the mods you’re using. If you have one of the mods known to be affected (e.g., EnderCore, LogisticsPipes, BDLib, Brazier, Smart Moving 1.12, Gadomancy, or DankNull) on Forge versions 1.7.10/1.12.2, it’s not safe. Other Forge versions may be safe unless you have an affected mod installed.
Still, all players should run a thorough antivirus scan on their PCs and use specialist tools to check their .minecraft directory for suspicious files. The MMPA recommends jSus or jNeedle. You won’t be affected if you don’t play on specialist servers.
How to manage the BleedingPipe risk
Server administrators have been asked to take these 3 steps:
- Update the latest versions of EnderIO or LogisticsPipes (available on CurseForge).
- If you use BDLib, you should migrate to the safer GT New Horizons fork.
- You can also install the mod ‘PipeBlocker’ on Forge servers to protect modding clients.
Server admins should be worried, and keep checking regularly to see if there is any suspicious activity. They should implement updates and security patches as soon as they drop to help protect players.
Players should keep their antivirus solutions up to date and do regular scans to try and spot malicious activity. Now, one knows the secret payload or when it will become active. Stay informed, keep endpoint protection software and VPNs on your private devices, and keep gaming!