CVE-2023-37262 in OpenComputers
Summary
by MITRE • 07/08/2023
CC: Tweaked is a mod for Minecraft which adds programmable computers, turtles, and more to the game. Prior to versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3, if the cc-tweaked plugin is running on a Minecraft server hosted on a popular cloud hosting providers, like AWS, GCP, and Azure, those metadata services API endpoints are not forbidden (aka "blacklisted") by default. As such, any player can gain access to sensitive information exposed via those metadata servers, potentially allowing them to pivot or privilege escalate into the hosting provider. Versions 1.20.1-1.106.0, 1.19.4-1.106.0, 1.19.2-1.101.3, 1.18.2-1.101.3, and 1.16.5-1.101.3 contain a fix for this issue.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/25/2023
The vulnerability described in CVE-2023-37262 affects the CC: Tweaked mod for Minecraft, a popular modification that introduces programmable computers and turtles into the game environment. This security flaw exists in versions prior to specific patch releases across multiple Minecraft versions including 1.20.1, 1.19.4, 1.19.2, 1.18.2, and 1.16.5. The issue stems from the mod's default configuration on cloud hosting platforms where it fails to properly restrict access to metadata service endpoints that are typically available through cloud infrastructure providers such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure.
The technical nature of this vulnerability involves improper network access controls within the mod's server implementation. When CC: Tweaked operates on a Minecraft server hosted in cloud environments, it does not automatically blacklist or restrict access to the metadata service APIs that cloud providers expose to instances. These metadata services typically contain sensitive information such as instance identifiers, security credentials, network configuration details, and other privileged data that should remain inaccessible to unauthorized users. The vulnerability creates a vector where any player with access to the Minecraft server can potentially query these metadata endpoints and extract confidential information that could be used for further exploitation.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables potential privilege escalation and lateral movement within cloud environments. An attacker who gains access to cloud metadata through this vulnerability could obtain instance-specific credentials, access keys, or other sensitive information that might allow them to pivot into the broader cloud infrastructure. This represents a significant risk for organizations that host their Minecraft servers on cloud platforms, as the vulnerability essentially provides a backdoor into the hosting provider's infrastructure. The potential for credential theft and unauthorized access to cloud resources makes this a critical security concern that aligns with common attack patterns documented in the MITRE ATT&CK framework under techniques related to credential access and privilege escalation.
The fix implemented in the patched versions of CC: Tweaked addresses this issue by properly blacklisting or restricting access to cloud metadata service endpoints by default. This remediation follows security best practices outlined in industry standards such as those referenced in CWE-284, which deals with improper access control, and CWE-200, which addresses exposure of sensitive information. The mitigation strategy ensures that the mod's default configuration prevents unauthorized access to cloud metadata services while maintaining the mod's core functionality for legitimate gameplay purposes. Organizations should immediately update to the patched versions to eliminate this attack vector and protect their cloud-hosted Minecraft servers from potential exploitation. The vulnerability demonstrates the importance of considering cloud-specific security implications when developing server-side modifications and highlights the need for proper network segmentation and access control mechanisms in cloud environments.