CVE-2020-6018 – CVE-2020-6018 is a critical stack-based buffer ... (How to Fix)

Q: What is the severity of CVE-2020-6018?

CVE-2020-6018 has a CVSS score of 9.8 (CRITICAL). CVE-2020-6018 is a critical stack-based buffer overflow vulnerability in Valve's Game Networking Sockets library when compiled with libsodium. Attackers can send specially crafted long encrypted messages to trigger memory corruption, potentially leading to remote code execution. This affects any application using vulnerable versions of the Game Networking Sockets library.

📋 TL;DR

CVE-2020-6018 is a critical stack-based buffer overflow vulnerability in Valve's Game Networking Sockets library when compiled with libsodium. Attackers can send specially crafted long encrypted messages to trigger memory corruption, potentially leading to remote code execution. This affects any application using vulnerable versions of the Game Networking Sockets library.

💻 Affected Systems

Products:

Valve Game Networking Sockets library
Applications using GameNetworkingSockets (including some Steam components)

Versions: All versions prior to v1.2.0

Operating Systems: All platforms where libsodium compilation is used

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects builds compiled with libsodium support. Applications must be using the vulnerable AES_GCM_DecryptContext::Decrypt() function.

📦 What is this software?

Game Networking Sockets by Valvesoftware

View all CVEs affecting Game Networking Sockets →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the vulnerable application, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to unstable behavior.

🟢

If Mitigated

No impact if patched or if proper network segmentation prevents exploitation.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication over network connections.

🏢 Internal Only: MEDIUM - Exploitation requires network access to vulnerable services, but internal systems may still be at risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Checkpoint Research published detailed analysis and proof-of-concept. The vulnerability requires sending specially crafted network packets to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.2.0 and later

Vendor Advisory: https://github.com/ValveSoftware/GameNetworkingSockets/commit/bea84e2844b647532a9b7fbc3a6a8989d66e49e3

Restart Required: Yes

Instructions:

1. Update GameNetworkingSockets library to version 1.2.0 or later. 2. Recompile any applications using the library. 3. Restart affected services.

🔧 Temporary Workarounds

Disable libsodium compilation

all

Compile GameNetworkingSockets without libsodium support to avoid the vulnerable code path.

cmake -DUSE_LIBSODIUM=OFF ..
make clean
make

Network segmentation

all

Restrict network access to services using vulnerable GameNetworkingSockets library.

🧯 If You Can't Patch

Implement strict network firewall rules to limit access to vulnerable services
Monitor for abnormal network traffic patterns and application crashes

🔍 How to Verify

Check if Vulnerable:

Check if application uses GameNetworkingSockets library version <1.2.0 and was compiled with libsodium support.

Check Version:

Check application dependencies or build configuration for GameNetworkingSockets version

Verify Fix Applied:

Verify GameNetworkingSockets library version is 1.2.0 or later and check compilation flags for libsodium.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory corruption errors
Abnormal termination of services using GameNetworkingSockets

Network Indicators:

Unusually large encrypted packets sent to services using GameNetworkingSockets
Traffic patterns matching known exploit attempts

SIEM Query:

search 'GameNetworkingSockets crash' OR 'buffer overflow' OR 'memory corruption' in application logs

📊 Metadata

CVE ID: CVE-2020-6018

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: December 2, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/ValveSoftware/GameNetworkingSockets/commit/bea84e2844b647532a9b7fbc3a6a8989d66e49e3 Patch,Third Party Advisory
https://research.checkpoint.com/2020/game-on-finding-vulnerabilities-in-valves-steam-sockets/ Exploit,Third Party Advisory
https://github.com/ValveSoftware/GameNetworkingSockets/commit/bea84e2844b647532a9b7fbc3a6a8989d66e49e3 Patch,Third Party Advisory
https://research.checkpoint.com/2020/game-on-finding-vulnerabilities-in-valves-steam-sockets/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6018, you might also want to check these: