CVE-2023-37261 – This vulnerability in OpenComputers Minecraft m... (How to Fix)

Q: What is the severity of CVE-2023-37261?

CVE-2023-37261 has a CVSS score of 9.6 (CRITICAL). This vulnerability in OpenComputers Minecraft mod allows players to access cloud metadata services and local network resources through improperly filtered Internet Card connections. It affects all OpenComputers versions 1.2.0 through 1.8.3 with default configurations on cloud-hosted Minecraft servers. Attackers can retrieve sensitive cloud metadata and access private network ranges.

📋 TL;DR

This vulnerability in OpenComputers Minecraft mod allows players to access cloud metadata services and local network resources through improperly filtered Internet Card connections. It affects all OpenComputers versions 1.2.0 through 1.8.3 with default configurations on cloud-hosted Minecraft servers. Attackers can retrieve sensitive cloud metadata and access private network ranges.

💻 Affected Systems

Products:

OpenComputers Minecraft mod

Versions: 1.2.0 through 1.8.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects servers with Internet Card feature enabled (default). Cloud hosting providers like AWS, GCP, Azure are particularly vulnerable due to accessible metadata services.

📦 What is this software?

Opencomputers by Opencomputers

View all CVEs affecting Opencomputers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of cloud hosting account through metadata service access, privilege escalation to cloud provider resources, and lateral movement through internal networks.

🟠

Likely Case

Exposure of cloud instance metadata containing credentials, access tokens, and configuration data, potentially leading to account takeover.

🟢

If Mitigated

Limited to Minecraft server environment with no access to external resources or metadata services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires player access to OpenComputers computers in-game but no authentication beyond normal Minecraft server access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.3 for Minecraft 1.7.10 and 1.12.2

Vendor Advisory: https://github.com/MightyPirates/OpenComputers/releases/tag/1.12.2-forge%2F1.8.3

Restart Required: Yes

Instructions:

1. Download OpenComputers v1.8.3 from official GitHub releases. 2. Replace existing OpenComputers mod files. 3. Restart Minecraft server.

🔧 Temporary Workarounds

Disable Internet Card feature

all

Completely disable the vulnerable Internet Card functionality

Set 'opencomputers.internet.enabled' to 'false' in server config

Configure allow list (v1.3.0+)

all

Restrict Internet Card to specific allowed addresses only

Set 'opencomputers.internet.whitelist' with approved addresses in server config

Configure block list

all

Block access to cloud metadata endpoints and private IP ranges

Add metadata endpoints (169.254.169.254, fd00::/8, etc.) to 'opencomputers.internet.blacklist'

🧯 If You Can't Patch

Disable Internet Card feature immediately via configuration
Implement network-level restrictions to block outbound connections from Minecraft server to metadata services

🔍 How to Verify

Check if Vulnerable:

Check OpenComputers version in mods folder or server logs. Versions 1.2.0-1.8.2 are vulnerable if Internet Card is enabled.

Check Version:

Check mods/OpenComputers-*.jar filename or server startup logs

Verify Fix Applied:

Confirm OpenComputers version is 1.8.3 and test that Internet Card cannot access cloud metadata endpoints (169.254.169.254).

📡 Detection & Monitoring

Log Indicators:

Internet Card connection attempts to metadata service IPs
Unusual network access patterns from OpenComputers

Network Indicators:

Outbound connections from Minecraft server to 169.254.169.254 or IPv6 link-local addresses
HTTP requests to /latest/meta-data/ paths

SIEM Query:

source="minecraft-server" AND (dest_ip=169.254.169.254 OR dest_ip=fd00::/8)

📊 Metadata

CVE ID: CVE-2023-37261

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-918

Published: July 7, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37261, you might also want to check these: