Page 1 of 1
Use recent OpenSSL that has no known CVEs
Posted: Sun Jun 14, 2026 2:39 pm
by koutoftimer
Code: Select all
$ xxd bin/x64/factorio | grep 'OpenSSL' | head -n 1
00d81410: 4f70 656e 5353 4c20 312e 312e 3167 2020 OpenSSL 1.1.1g
$ pwd
/home/ruslan/.steam/steam/steamapps/common/Factorio
$ uname -r
6.18.33-p1-gentoo-dist
$ ./bin/x64/factorio --version
Version: 2.0.76 (build 84451, linux64, steam)
Version: 64
Map input version: 1.0.0-0
Map output version: 2.0.76-0
21 Apr 2020 is the release date of OpenSSL 1.1.1g
https://openssl-library.org/source/old/1.1.1/
Factorio is affected by each and every known CVE since 2020!
https://openssl-library.org/news/vulner ... index.html
You can use either premium 1.1.1zh or 3.5.6 and use compatibility library that will redirect old API to new library.
Re: Use recent OpenSSL that has no known CVEs
Posted: Sun Jun 14, 2026 2:43 pm
by pioruns
Very good find. So it means Factorio has been compiled with outdated version of this library, and it may make it exposed to some vulnerabilities during online play?
Re: Use recent OpenSSL that has no known CVEs
Posted: Sun Jun 14, 2026 2:56 pm
by Rseding91
Factorio multiplayer does not use SSL, or any form of encryption. As far as I remember it’s only used for downloading mods, updates for the zip version of the game, and communication with the matching server (browsing the available games to join).
Re: Use recent OpenSSL that has no known CVEs
Posted: Sun Jun 14, 2026 8:48 pm
by pioruns
Oh, what's even worse. Multiplier games are used only by a fraction of players, while update function by almost everyone with standalone version. If there's unknown bug there, it can affect many installations.
Perhaps you can update it for 2.0 release?
Re: Use recent OpenSSL that has no known CVEs
Posted: Mon Jun 15, 2026 12:46 pm
by koutoftimer
pioruns wrote: Sun Jun 14, 2026 8:48 pm
Oh, what's even worse. Multiplier games are used only by a fraction of players, while update function by almost everyone with standalone version. If there's unknown bug there, it can affect many installations.
Perhaps you can update it for 2.0 release?
I've played a bit with eBPF. I've attached to running factorio process, OpenSSL_write function, to be precise, and yes, it doesn't seem like any data is send using statically linked OpenSSL library in single player. Only when you are accessing mods, heroku hosted mods portal gets accessed, and during logout/login steam API gets accessed. I haven't touched multiplayer though.
I've collected some stats about CVEs factorio currently exposed to and
Code: Select all
Total CVEs affecting versions after 1.1.1g: 47
High: 7
Moderate: 11
Low: 29
Out of which, only one High severity looks promising for man-in-the-middle attack.
Re: Use recent OpenSSL that has no known CVEs
Posted: Mon Jun 15, 2026 12:50 pm
by pioruns
koutoftimer wrote: Mon Jun 15, 2026 12:46 pm
I've collected some stats about CVEs factorio currently exposed to and
Code: Select all
Total CVEs affecting versions after 1.1.1g: 47
High: 7
Moderate: 11
Low: 29
Out of which, only one High severity looks promising for man-in-the-middle attack.
Excellent work!
Re: Use recent OpenSSL that has no known CVEs
Posted: Mon Jun 15, 2026 9:17 pm
by MEOWMI
If even one of them could actually be used as a plausible attack vector then it's worth looking into fixing. It doesn't necessarily sound like that is definitely the case but I don't know the details either.
Having said that, I would guess the developers already have looked at it to some degree and I'll have to trust they make the right call.