Advisory Details

May 19th, 2015

Valve Steam Client Detection Denial of Service Vulnerability

ZDI-15-233
ZDI-CAN-2627

CVE ID CVE-2015-4016
CVSS SCORE 5, (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED VENDORS Valve
AFFECTED PRODUCTS Steam
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute a denial of service attack on vulnerable installations of Valve Steam. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Steam client detection protocol. By responding to a broadcast packet with a crafted response, an attacker can cause the Steam process to crash.

ADDITIONAL DETAILS Valve has issued an update to correct this vulnerability. More details can be found at:
http://store.steampowered.com/news/16801/
DISCLOSURE TIMELINE
  • 2015-05-14 - Vulnerability reported to vendor
  • 2015-05-19 - Coordinated public release of advisory
CREDIT Elvis Collado - HP DVLabs
BACK TO ADVISORIES