Valve under fire: now patches LPE Zero-days on Steam

The gaming giant Valve called the averting researcher's efforts via the HackerOne bug-reporting bounty platform a “mistake”

Valve, while at first dismissing the potential dangers of the discovered Zero-days, rolled out patches to fix them

One of the leading gaming industry companies Valve came under scrutiny recently due to its negligence regarding the safety of its hugely popular Steam platform. After the story exploded on the media, the enterprise quickly patched the recently reported Zero-day local privilege escalation (LPE) vulnerabilities and called the ordeal a “mistake.”

The company responded to the ZDNet with the following statement:^[1]

Our HackerOne program rules were intended only to exclude reports of Steam being instructed to launch previously installed malware on a user's machine as that local user. Instead, misinterpretation of the rules also led to the exclusion of a more serious attack that also performed local privilege escalation through Steam.

In addition to patching the flaw, Valve also reviewed its bug bounty policy and promised to review the ban of the security researcher who discovered the LPE flaws in the first place.

The Zero-day was reported by two researchers

A few weeks ago, a Russian security researcher PsiDragon (Vasily Kravets) found the vulnerability within Steam platform and reported it via bug bounty program HackerOne. Valve dismissed the claim, citing the terms and stating that the flaw is out of the scope, consequently refusing to do anything about it. However, the company also forbade the researcher to release the vulnerability publicly – Valve considered the issue “case closed.”

Kravets then released the Proof of Concept (PoS) of the local privilege escalation flaw. The vulnerability, while not as dangerous as remote code execution vulnerabilities, would allow a remote attacker who already infected the machine with malware, to use Steam as a platform to escalate privileges further and completely take over already compromised computer. Reputable companies like Microsoft continually patch the LPE/EoP vulnerabilities, as it is considered a threat.

In the meantime, another respected security researcher Matt Nelson also discovered the bug within Steam and reported it via the HackeOne, just to go through a similar unpleasant conversation with the staff as Vasily Kravets did. Nelson then posted a video on YouTube, detailing the process of privilege escalation the whole process by using the registry as well as Command prompt.

Valve was hit by infosecurity community backlash

Soon after the first vulnerability was disclosed, Valve patched the Zero-day eventually. However, the fix was not complete, as another security researcher Xiaoyin Liu quickly found a way to bypass it and posted the findings on Twitter.^[2]

Five days later, Kravets discovered a second Zero-day EoP vulnerability but could not post it to Valve as he was banned from the HackerOne platform.

What Valve did, essentially showed the community that it does not care about the safety of the platform that is being used by more than 100 million Windows users. Moreover, while it is indeed true that the attackers cannot break into the Steam client by using the EoP/LPE flaw, it can be used post-exploitation to give them to obtain admin or root privileges.

Matt Nelson, along with Vasily Kravets was unsatisfied with such Valve's response, to say the least. While Kravets said he was extremely disappointed by the company, Nelson said that Valve could not just pick and choose which flaws are security concerns to its millions of users:^[3]

@steam_games that’s not really how that works. You can’t pick and choose what you define as a vulnerability. Your software is breaking the Windows security model.

In the end, the researcher asked for the bug to be fixed, and even did not seek the bounty money, all while Valve slapped him with the “please familiarize yourself with our disclosure guidelines and ensure that you’re not putting the company or yourself at risk” statement.^[4]

Valve revamped its bug bounty program to include the LPE/EoP vulnerabilities and is reviewing researcher's ban

On August 21, Steam Beta client update was released which patched both of the reported Zero-day vulnerabilities. Valve also released an update to its HackerOne bounty program policy, which will now consider LPE/EoP flaws as a legitimate cause of concern, and that researchers should keep the reporting the vulnerabilities if found:^[5]

Attacks that involve the user running malware that then places or modifies content on the target machine, which Steam could later run as the local user. However, any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope. Any unauthorized modification of the privileged Steam Client Service is also in scope.

The company representative told ZDNet that denying the potential dangers of the discovered Zero-days was a “mistake” and that Kravets' ban is being revised. Nevertheless, the researcher still remains banned as of the time of the writing.

While Valve is clearly trying to save itself after realizing that it behaved inadequately, the released patches and the struggle researchers came through were not in vain, and hopefully, the actions will make the Steam platform safer, preventing users from being victims of software vulnerability compromise.