#VU15560 Spoofing attack in Teeworlds - CVE-2018-18541

Cybersecurity Help s.r.o.

Published: 2018-10-29 | Updated: 2018-10-29

Vulnerability identifier: #VU15560

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-18541

CWE-ID: CWE-451

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Teeworlds
Client/Desktop applications / Games

Vendor: Teeworlds

Description

The vulnerability allows a remote attacker to conduct IP spoofing attack.

The vulnerability exists due to connection packets can be forged when there was no challenge-response involved in the connection build up. A remote attacker can send connection packets from a spoofed IP address and occupy all server slots, or even use them for a reflection attack using map download packets.

Mitigation
Update to version 0.6.5.

Vulnerable software versions

Teeworlds: 0.4.3 - 0.6.4

External links
https://teeworlds.com/?page=news&id=12544

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for teeworlds

Debian update for teeworlds

Fedora EPEL 7 update for teeworlds

Fedora 29 update for teeworlds

Fedora 27 update for teeworlds

Fedora 28 update for teeworlds

Spoofing attack in Teeworlds