Serious cybersecurity concerns have arisen in the popular gaming world of Minecraft. Security researchers warn of a new vulnerability, nicknamed "BleedingPipe," posing significant risks to clients and servers running popular Minecraft mods on
1.7.10/1.12.2 Forge and other mods. The exploit allows full remote code execution (RCE) on vulnerable systems and has already seen several instances of successful exploitation.
According to the Minecraft Malware Protection Association (MMPA), the issue could also affect other versions of Minecraft if a vulnerable mod is installed. It's feared that the vulnerability could spread beyond the server and infect clients that join.
"The bug is a well known issue with deserialization using ObjectInputStream," the MMPA warns in a security advisory. "The mods affected used OIS for networking code, and this allowed packets with malicious serialization to be sent. This allows anything to be run on the server, which then can be used on the server to do the same thing to all clients, therefore infecting all clients with the server in reverse."
First spotted in March 2022, when an issue about an
ObjectInputStream vulnerability was posted on BDLib's GitHub, the threat lay dormant until July 9, 2023. On this date, a Forge forum post detailed a live RCE security incident on a server, resulting in the total compromise of that server and the possible exposure of clients' Discord credentials.
Following this revelation, researchers narrowed the issue down to three mods: BDLib, EnderCore, and LogisticsPipes. However, despite the severe nature of the threat, the forum post failed to gain much attention, with many Minecraft players - particularly users of these mods – remaining in the dark about the vulnerability.
On July 24, 2023, MineYourMind announced that they'd fixed the bug and would be working with developers to issue patches. Subsequent patches for the vulnerability were also received by the rest of the GTNH (popular modpack GT New Horizons) forks on GitHub.
Despite these patch efforts, the vulnerability remains a live issue for most servers using the affected mods and their original versions. Affected mods include, but are not limited to, EnderCore, LogisticsPipes, the
1.7-1.12 versions of BDLib, Smart Moving
1.12, Brazier, DankNull and Gadomancy.
A threat actor reportedly scanned all IPv4 Minecraft servers to identify vulnerable servers and mass-deployed a malicious payload onto all affected targets. The exploit's contents are still unclear and it's not certain whether it was used against other clients. Without knowing the content of the payload, detecting the attack is a challenge.
Both server admins and players are urged to check for suspicious files in servers,
.minecraft directories, and mods folders, particularly for those using modded launchers like Curseforge. Admins should also consider updating or removing the mods affected by the vulnerability.
This news comes on the heels of the discovery of another malware strain, "Fractureiser," which lurks within various Minecraft mods and can propagate itself to all JAR files on the system, inject arbitrary cryptocurrency addresses in the clipboard, steal cookies and user credentials from web browsers, and exfiltrate credentials for Discord, Microsoft and Minecraft.