Use recent OpenSSL that has no known CVEs

[koutoftimer]

Code: Select all

$ xxd bin/x64/factorio | grep 'OpenSSL' | head -n 1
00d81410: 4f70 656e 5353 4c20 312e 312e 3167 2020  OpenSSL 1.1.1g  
$ pwd
/home/ruslan/.steam/steam/steamapps/common/Factorio
$ uname -r
6.18.33-p1-gentoo-dist
$ ./bin/x64/factorio --version
Version: 2.0.76 (build 84451, linux64, steam)
Version: 64
Map input version: 1.0.0-0
Map output version: 2.0.76-0

21 Apr 2020 is the release date of OpenSSL 1.1.1g https://openssl-library.org/source/old/1.1.1/

Factorio is affected by each and every known CVE since 2020! https://openssl-library.org/news/vulner ... index.html

You can use either premium 1.1.1zh or 3.5.6 and use compatibility library that will redirect old API to new library.

[pioruns]

Very good find. So it means Factorio has been compiled with outdated version of this library, and it may make it exposed to some vulnerabilities during online play?

[Rseding91]

Factorio multiplayer does not use SSL, or any form of encryption. As far as I remember it’s only used for downloading mods, updates for the zip version of the game, and communication with the matching server (browsing the available games to join).

[pioruns]

Oh, what's even worse. Multiplier games are used only by a fraction of players, while update function by almost everyone with standalone version. If there's unknown bug there, it can affect many installations.

Perhaps you can update it for 2.0 release?

[koutoftimer]

Oh, what's even worse. Multiplier games are used only by a fraction of players, while update function by almost everyone with standalone version. If there's unknown bug there, it can affect many installations.

Perhaps you can update it for 2.0 release?

I've played a bit with eBPF. I've attached to running factorio process, OpenSSL_write function, to be precise, and yes, it doesn't seem like any data is send using statically linked OpenSSL library in single player. Only when you are accessing mods, heroku hosted mods portal gets accessed, and during logout/login steam API gets accessed. I haven't touched multiplayer though.

I've collected some stats about CVEs factorio currently exposed to and

Code: Select all

Total CVEs affecting versions after 1.1.1g: 47
  High: 7
  Moderate: 11
  Low: 29

Out of which, only one High severity looks promising for man-in-the-middle attack.

[pioruns]

I've collected some stats about CVEs factorio currently exposed to and

Code: Select all

Total CVEs affecting versions after 1.1.1g: 47
  High: 7
  Moderate: 11
  Low: 29

Out of which, only one High severity looks promising for man-in-the-middle attack.

Excellent work!

[MEOWMI]

If even one of them could actually be used as a plausible attack vector then it's worth looking into fixing. It doesn't necessarily sound like that is definitely the case but I don't know the details either.

Having said that, I would guess the developers already have looked at it to some degree and I'll have to trust they make the right call.