FiveM Security Advisory - 2019-01-02

plumbum · January 2, 2019, 9:08am

A vulnerability in the FiveM FXServer remote console code could allow an unauthenticated remote attacker to cause a C++ exception, resulting in a denial of service (DoS) condition.

This vulnerability is caused by an oversight in network packet parsing, and can be triggered by sending specially crafted UDP packets to any FiveM game server.

We have addressed this vulnerability in server releases starting at build 957 for Windows, however the corresponding Linux build is non-functional due to an unrelated bug - we’re working on a hotfix release in the feature/one-off-server-hotfix branch, and this post will be updated when it is available. You can tell what version you’re running by either:

Accessing https://host:port/info.json and checking the server field.
Running the version command in the server (remote) console.

Attackers are currently using this vulnerability in the wild, so it is practically required to upgrade your server instances to this version or higher (if available).

As a mitigation for Linux, if you do not rely on remote console commands, you can use the following iptables command to block input remote console packets:

iptables -A INPUT -m string --algo bm --hex-string "|ffffffff72636f6e|" -j DROP

CVSS score: 7.5 (High)

bismuth · January 2, 2019, 9:14am

A Linux build has been made available at https://runtime.fivem.net/artifacts/fivem/build_proot_linux/feature/one-off-server-hotfix/ - note that this branch is a temporary branch only to be used for this hotfix release.

erbium · January 2, 2019, 9:57am

A Windows hotfix has also been made available to prevent some ‘streaming issues’ from occurring: https://runtime.fivem.net/artifacts/fivem/build_server_windows/feature/one-off-server-hotfix/

xenon · January 2, 2019, 5:01pm

The master builds should have the unrelated issues resolved and should be usable again as of version 960.