[OPS] [2.0.28] Updater does not verify the SSL certificates

This subforum contains all the issues which we already resolved.
Post Reply
Copy link
WRah
Manual Inserter
Manual Inserter
Posts: 2
Joined: Sat Nov 28, 2020 6:31 pm
Contact:
Contact WRah

[OPS] [2.0.28] Updater does not verify the SSL certificates

Post by WRah »

What did you do?
I have spoofed the updater.factorio.com DNS record in my LAN to point to a different IP address - with a "fake" update server that serves a modified latest update (2.0.27 to 2.0.28) with a completely different content.

What happened?
Factorio connected to my fake update server (with invalid certificate), downloaded the update, installed it and started the modified binary.

What did you expect to happen instead? It might be obvious to you, but do it anyway!
I expected Factorio not to download the update as the certificate did not correspond to the hostname. Or somehow validate that the update is authentic with some form of signature validation...

Does it happen always, once, or sometimes?
Always... I have successfully tested this on Windows (ZIP version), MacOS (this was a bit unexpected, because I did believe that MacOS had some signature checking, but alas...) and Linux versions.

I am quite sure that this is a security issue as it allows to execute possibly malicious application on the target. There is an older report in "not a bug" bin with some incorrect assumptions - viewtopic.php?f=23&t=926
Attachments
factorio_spoofed_update.log
(10.01 KiB) Downloaded 19 times
Top
User avatar
Sanqui
Factorio Staff
Factorio Staff
Posts: 343
Joined: Mon May 07, 2018 7:22 pm
Contact:
Contact Sanqui

Re: [OPS] [2.0.28] Updater does not verify the SSL certificates

Post by Sanqui »

This rather embarrassing oversight will be fixed in the next release.
ovo
Top
Post Reply

Return to “Resolved Problems and Bugs”