Page MenuHomeFeedback Tracker
Create Task
Maniphest T164945

Potential security flaw in Reforger
Closed, ResolvedPublic
Actions

Description

Hi. I've been running a server box for my friends for Arma 3 and DCS. I attempted to get Reforger working last night (AU time) and ran into some issues. I had heard from my friend Rossmum that it was claimed on the CUP discord there are some security issues with Reforger mods. However at the time I was not aware of the claim that the same exploit exists while running Reforger in admin mode, something I had been doing trying everything to get my server to run.

This morning I woke up to find my server machine infected with Ransomware. This has also seemingly affected a reinstall of my DCS Server software, whereby the server exe now is installed as a textfile (I have since been informed this is how it should be, however the server executable is missing in the bin folder regardless). I'm writing this to make sure BI are aware of this possible security risk and to make server owners aware they may be vulnerable, including players who have downloaded mods. Below are screenshots of my issue this morning, in order;

  1. Server box ransomware
  2. Discussion with Rossmum regarding the CUP discord claim

https://media.discordapp.net/attachments/918320256794128386/976717819959996437/unknown.png?width=932&height=524

https://media.discordapp.net/attachments/712134803851313212/976717389905395712/unknown.png

Details

Severity
Major
Resolution
Unable To Duplicate
Reproducibility
Have Not Tried
Operating System
Windows 10 x64
Category
General
Steps To Reproduce

I am not attempting to reproduce, I do not want my system infected again

Additional Information

I understand this could be any number of things however the information regarding the flaw that I was made aware of, and the immediate infection of my machine with malware, I do not believe to be a coincidence. The DCS install issue I am not entirely sure is related but has only become a problem since the Ransomware attack.

Event Timeline

EnvyC created this task.May 19 2022, 8:00 AM
EnvyC updated the task description. (Show Details)May 19 2022, 8:02 AM
EnvyC updated the task description. (Show Details)
EnvyC updated the task description. (Show Details)
EnvyC edited Additional Information. (Show Details)
mrzorn added a subscriber: mrzorn.May 19 2022, 9:57 AM
Azeh added a subscriber: Azeh.May 19 2022, 6:19 PM
dedmen added a subscriber: dedmen.EditedMay 19 2022, 9:26 PM

The flaw that was reported in CUP Discord was that the Reforger Workbench tool's scripts can delete files on the filesystem (which is somewhat intentional as IDE plugins should have access to files on disk).

That is completely different than a reforger dedicated server (which is not the workbench tool) allegedly installing malware, also you didn't mention that you installed mods, did you? If so, which?

Programmers are aware of the security implications of it, which is why that type of access is disabled in normal client/server, its only in tools.

This sounds like its a different issue, but nevertheless this will definitely be investigated.

Edit: User clarified that they indeed were not running any mods, and were running dedicated server which is not affected by the mentioned workbench tools security issue. There is something else going on.

cryptearth added a subscriber: cryptearth.May 20 2022, 1:33 AM

This should be closed as invalid.

while running Reforger in admin mode

WHY would anyone ever do such thing? A simple game server should never require to run with elevated privileges. All "run as admin" does is to solve some permission issues - so the actual root cause surely is not Reforger or the workshop but obviously some bad permissions somewhere else.
Also:

a server box

A regular Windows 10 CLIENT should not be run as "server" - not even if you host something on a local system at home over your private internet access. It's fair to assume quite a lot of mis-config along with improper permissions are the real cause to whatever happened.

In addition: No matter if workshop or something in-game - if you run others code there's always the potential for malicious stuff. The new approach BI gone here comes with its risks - no doubts - but it's unlikely that this has caused the claimed attack.

dedmen added a comment.May 20 2022, 10:29 AM

We have investigated the issue.
And as expected, clients and servers don't have the file access issues the reporter described, and the user also wasn't running any mods that even could access these functionalities.

What is left is "My server was ransomware infected, and I had a Reforger Server running on it"
We have no indication that it was caused by reforger, also this seems more like a large scale attack using known vulnerabilities in some commonly used software. Our barely 3 day old game would just not be an attack vector for such a scheme.

If someone has anything more concrete we will of course investigate it, but so far there is nothing here.

dedmen closed this task as Resolved.May 20 2022, 10:30 AM
dedmen changed Resolution from Open to Unable To Duplicate.
© Bohemia Interactive a.s. Bohemia Interactive® is a registered trademark of Bohemia Interactive a.s. All rights reserved. · Privacy Policy · Terms and Conditions