CVE-2021-37632 in Config Libinfo

Summary

by MITRE • 08/06/2021

SuperMartijn642's Config Lib is a library used by a number of mods for the game Minecraft. The versions of SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are affected by a vulnerability and can be exploited on both servers and clients. Using SuperMartijn642's Config Lib, servers will send a packet to clients with the server's config values. In order to read `enum` values from the packet data, `ObjectInputStream#readObject` is used. `ObjectInputStream#readObject` will instantiate a class based on the input data. Since, the packet data is not validated before `ObjectInputStream#readObject` is called, an attacker can instantiate any class by sending a malicious packet. If a suitable class is found, the vulnerability can lead to a number of exploits, including remote code execution. Although the vulnerable packet is typically only send from server to client, it can theoretically also be send from client to server. This means both clients and servers running SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are vulnerable. The vulnerability has been patched in SuperMartijn642's Config lib 1.0.9. Both, players and server owners, should update to 1.0.9 or higher.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 08/08/2021

The vulnerability identified as CVE-2021-37632 affects SuperMartijn642's Config Lib, a widely used library for Minecraft modding that facilitates configuration management across various mods. This library operates within the Minecraft ecosystem by enabling communication of configuration data between server and client instances through serialized packet exchanges. The affected versions ranging from 1.0.4 through 1.0.8 contain a critical security flaw that undermines the integrity of the serialization process and exposes both server and client instances to potential exploitation.

The technical flaw resides in the improper handling of serialized object data within the packet transmission mechanism. Specifically, when processing enum values from server configuration packets, the library employs ObjectInputStream#readObject method without implementing proper validation or filtering mechanisms. This method executes the deserialization process by instantiating classes based on the serialized data received from network packets. The absence of input validation creates a dangerous condition where attacker-controlled data can trigger instantiation of arbitrary classes within the application context, effectively bypassing normal security boundaries and access controls.

The operational impact of this vulnerability extends across both server and client environments, as the malicious packet transmission can originate from either direction within the network communication model. This bidirectional vulnerability means that compromised clients could potentially exploit servers, while malicious servers could compromise connected clients. The potential for remote code execution emerges when attackers can identify and leverage suitable classes within the application's classpath that contain exploitable methods or functionality. This represents a severe threat vector that could allow attackers to execute arbitrary code on targeted systems, potentially leading to complete system compromise and unauthorized access to player data or server resources.

This vulnerability aligns with CWE-502, which describes "Deserialization of Untrusted Data" as a critical weakness in software security implementations. The flaw demonstrates characteristics consistent with the attack patterns documented in the MITRE ATT&CK framework under the T1059.007 technique for "Command and Scripting Interpreter: PowerShell," where attackers can leverage deserialization vulnerabilities to achieve remote code execution through crafted input data. The security implications extend beyond simple data corruption to represent a complete breakdown in the application's ability to validate and sanitize external inputs, creating an attack surface that can be exploited across multiple execution contexts.

The recommended mitigation strategy involves immediate upgrade to SuperMartijn642's Config Lib version 1.0.9 or higher, which implements proper input validation and sanitization measures for serialized object data. System administrators and Minecraft server owners should prioritize this update across all affected installations, while players should ensure their modded Minecraft environments are updated to prevent potential exploitation. Additional defensive measures could include network-level filtering to restrict packet transmission between known trusted sources, though the primary remediation remains the software update that addresses the root cause of the deserialization vulnerability.

Responsible

GitHub, Inc.

Reservation

07/29/2021

Disclosure

08/06/2021

Moderation

accepted

CPE

ready

EPSS

0.01678

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!