CVE-2024-45407
📋 TL;DR
This vulnerability in Sunshine game streaming software allows an attacker to gain unauthorized access by exploiting a flaw in the pairing process. During a man-in-the-middle attack, if a client attempts pairing with an incorrect PIN, the attacker's certificate is incorrectly saved before authentication fails, granting the attacker persistent access. This affects all Sunshine users who perform client pairing.
💻 Affected Systems
- Sunshine
📦 What is this software?
Sunshine by Lizardbyte
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains persistent unauthorized access to the Sunshine streaming server, potentially intercepting game streams, accessing system resources, or using the server as a pivot point for further attacks.
Likely Case
An attacker on the same network intercepts pairing attempts and gains unauthorized access to the Sunshine server, allowing them to view or disrupt game streams.
If Mitigated
With proper network segmentation and monitoring, the impact is limited to unauthorized access to the Sunshine service only, with no lateral movement to other systems.
🎯 Exploit Status
Exploitation requires a man-in-the-middle position during the pairing process and knowledge of the pairing workflow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions with commits 5fcd07ecb1428bfe245ad6fa349aead476c7e772 and fd7e68457a134102d1b30af5796c79f2aa623224
Vendor Advisory: https://github.com/LizardByte/Sunshine/security/advisories/GHSA-jqph-8cp5-g874
Restart Required: Yes
Instructions:
1. Update Sunshine to the latest version. 2. Restart the Sunshine service. 3. Re-pair all clients to ensure old certificates are invalidated.
🔧 Temporary Workarounds
Disable client pairing temporarily
allTemporarily disable the pairing functionality to prevent exploitation while planning an update.
Edit Sunshine configuration to disable pairing or set to trusted clients only
Network isolation
allIsolate Sunshine server to trusted network segments only during pairing operations.
Use firewall rules to restrict access to Sunshine port (47984-47990, 48010) during pairing
🧯 If You Can't Patch
- Isolate Sunshine server to a dedicated VLAN with strict access controls
- Monitor network traffic for unauthorized pairing attempts and certificate changes
🔍 How to Verify
Check if Vulnerable:
Check Sunshine version against patched versions in the security advisory. Review if pairing functionality is enabled.Check Version:
sunshine --version or check Sunshine web interface versionVerify Fix Applied:
Verify Sunshine version includes the fix commits. Test pairing process with a controlled MITM scenario to ensure certificates are not persisted on failed attempts.📡 Detection & Monitoring
Log Indicators:
- Multiple failed pairing attempts from same IP
- Unexpected certificate changes in Sunshine logs
- Pairing success followed by immediate failure
Network Indicators:
- Unusual traffic on Sunshine ports (47984-47990, 48010) during pairing
- MITM tools like ettercap or bettercap detected on network
SIEM Query:
source="sunshine" AND (event="pairing_failed" OR event="certificate_change") | stats count by src_ip