Valve Patches Security Bug That Existed in Steam Client for the Past Ten Years

Valve developers have recently patched a severe security flaw that affected all versions of the Steam gaming client released in the past ten years.

According to Tom Court, a security researcher with Context Information Security, the one who discovered the flaw, the vulnerability would have allowed an attacker to execute malicious code on any of Steam's 15 million gaming clients.

Vulnerability exploitable remotely via network packets

In the jargon of security researchers, this is a remote code execution (RCE) flaw because exploitation was possible via network requests, without needing access to the victim's computer.

Court says an attacker was only required to send malformed UDP packets to a target's Steam client, which would have triggered the bug and allowed him to run malicious code on the target's PC.

The root cause of this vulnerability is a buffer overflow in one of Steam's many internal libraries —and more specifically in Steam's code that dealt with fragmented UDP datagram reassembly.

Bug accidentally half-patched last July

The Context security researcher says exploitation of this flaw would have been trivial up until July 2017, when Valve added ASLR protection to the Steam desktop client.

The added security feature made exploitation more difficult, causing only a crash of the Steam client in subsequent editions.

Nevertheless, Court says that an attacker would have still been successful at exploiting this bug if he combined the original flaw with an info-leak that exposed the memory location of the Steam app.

The issue is now fixed in Steam. Court reported the bug to Valve on February 20, this year, and Valve developers pushed out an initial patch for the Steam beta client within 12 hours. A final fix was released for the main Steam client on April 4.

After giving Steam users almost two months to update, Court has published today a report about the issue, including lengthy technical details and a proof-of-concept video.