CVE-2021-33790
📋 TL;DR
CVE-2021-33790 is a critical deserialization vulnerability in the RebornCore library for Minecraft mods that allows remote code execution. Attackers can exploit this by sending specially crafted network packets to execute arbitrary code on affected servers. This affects Minecraft servers running mods that include vulnerable versions of RebornCore.
💻 Affected Systems
- RebornCore library
- Minecraft mods that depend on RebornCore
📦 What is this software?
Reborncore by Techreborn
Reborncore by Techreborn
Reborncore by Techreborn
Reborncore by Techreborn
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attacker to execute arbitrary commands, install malware, steal data, or use the server as part of a botnet.
Likely Case
Server takeover leading to data theft, disruption of gameplay, or installation of cryptocurrency miners.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented, though RCE would still be possible.
🎯 Exploit Status
Exploitation requires network access to the Minecraft server port (default 25565). The advisory includes technical details that could be used to create exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.7.3 and later
Vendor Advisory: https://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrm
Restart Required: Yes
Instructions:
1. Update RebornCore to version 4.7.3 or later. 2. Update any mods that depend on RebornCore. 3. Restart the Minecraft server.
🔧 Temporary Workarounds
Network isolation
allRestrict network access to Minecraft server port (default 25565) to trusted networks only
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="25565" accept'
netsh advfirewall firewall add rule name="Minecraft" dir=in action=allow protocol=TCP localport=25565 remoteip=TRUSTED_NETWORK
🧯 If You Can't Patch
- Isolate the Minecraft server in a separate network segment with strict firewall rules
- Monitor network traffic to Minecraft port for unusual patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check RebornCore version in mods folder or server logs. If version is below 4.7.3, system is vulnerable.Check Version:
grep -i reborncore server.log | grep -i version OR check mods/RebornCore-*.jar file versionVerify Fix Applied:
Confirm RebornCore version is 4.7.3 or higher in server logs or mods folder.📡 Detection & Monitoring
Log Indicators:
- Unusual Java exceptions related to deserialization
- Unexpected class loading in server logs
- Network errors from ExtendedPacketBuffer
Network Indicators:
- Unusual traffic patterns to Minecraft port 25565
- Malformed network packets to Minecraft server
SIEM Query:
source="minecraft.log" AND ("ExtendedPacketBuffer" OR "ObjectInputStream" OR "readObject")🔗 References
- https://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrm
- https://vuln.ryotak.me/advisories/45
- https://www.curseforge.com/minecraft/mc-mods/reborncore
- https://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrm
- https://vuln.ryotak.me/advisories/45
- https://www.curseforge.com/minecraft/mc-mods/reborncore
