{ "expand": "operations,versionedRepresentations,editmeta,changelog,renderedFields", "id": "495569", "self": "https://bugs.mojang.com/rest/api/2/issue/495569", "key": "BDS-16752", "fields": { "issuetype": "1", "project": "11700", "fixVersions": [], "resolution": "3", "customfield_10500": { "self": "https://bugs.mojang.com/rest/api/2/customFieldOption/10300", "value": "Unconfirmed", "id": "10300", "disabled": false }, "customfield_12800": null, "customfield_12602": [], "customfield_12601": null, "customfield_12604": null, "customfield_12603": null, "customfield_12606": null, "customfield_12605": null, "customfield_12608": null, "resolutiondate": "2022-02-16T14:50:36.000+0200", "customfield_12607": null, "customfield_12609": null, "workratio": -1, "lastViewed": null, "watches": { "self": "https://bugs.mojang.com/rest/api/2/issue/BDS-16752/watchers", "watchCount": 1, "isWatching": false }, "created": "2022-02-16T13:28:35.000+0200", "customfield_12000": null, "customfield_12201": null, "customfield_12600": null, "labels": [ "NetworkPacket", "bds", "vulnerability" ], "customfield_11700": "{}", "versions": [ "20628" ], "issuelinks": [ { "id": "263084", "self": "https://bugs.mojang.com/rest/api/2/issueLink/263084", "type": "10102", "outwardIssue": "472169" } ], "assignee": null, "updated": "2022-02-16T15:59:08.000+0200", "status": "5", "description": "h2. Introduction of the situation\r\n\r\nRecently, the community received numbers of reports about network attack to BDS servers. After capturing packets and analysis, several serious *vulnerabilities* were found. \r\nNow we know that through sending malicious attack packets, hackers can make the server crash, or cause the main thread jamming.\r\n\r\nSome vulnerability exploitation tools have been *published* to github, and some have been under a large number of public dissemination. These vulnerabilities cause great harm to BDS server operations.\r\nh2. Realms and Netease are under attack\r\n\r\nNot only for BDS servers, these vulnerabilities can also be used to crash *XBox Realms* servers and the Chinese version of the {*}Netease servers{*}. There have been reports of attacks that by scanning the network segment and conducting a bulk attack, hackers can easily cause a large number of Realms servers to crash and restart\r\nh2. Attack replay tools\r\n\r\nSeveral vulnerabilities or their exploits are attached *below* as an attachment. The attack can be reproduced using the provided replay tool. The introduction and usage is packed in this zip file\r\nh2. Possible solution\r\n\r\nI think it will help to solve these problems: \r\nIdentify all incoming packets , and prohibit receiving all packets that are not from the player in the server by checking valid *NetworkIdentifier* or *NetworkHandler::Connection*\r\nAnd then, these replay attacks will never occur any more.\r\n\r\nThe community have been trying to fix these vulnerabilities to protect ourselves for a long time. Some community fixes can be found at [https://github.com/LiteLDev/LiteLoaderBDS/blob/main/LiteLoader/Main/BuiltinBugFix.cpp]\r\n\r\nh2. Advice & Future\r\nCurrently, it is rumored that new vulnerabilities are still being explored and used for attacks. We *urge* Mojang to pay attention to the related issues, review and check the potential safety hazards for the whole network layer (around NetworkHandler and other code about packets)\r\n\r\nSince the vulnerability has been abused, we hope that it can be fixed *as soon as possible*", "customfield_11100": 0.0, "customfield_11300": null, "customfield_11500": null, "customfield_12503": null, "customfield_12700": null, "customfield_12502": null, "security": { "self": "https://bugs.mojang.com/rest/api/2/securitylevel/10318", "id": "10318", "description": "Private, viewable only by volunteers and up.", "name": "Minecraft - Private" }, "customfield_12504": null, "attachment": [ "472560", "472557" ], "summary": "Several network layer vulnerabilities exist that seriously harm the security of the BDS server", "creator": "JIRAUSER580793", "reporter": "JIRAUSER580793", "customfield_10002": null, "customfield_12501": null, "customfield_12500": null, "customfield_11601": null, "customfield_11600": "0|i26yxb:", "environment": "Windows Server 2019, 2016 or any other version", "customfield_11801": null, "customfield_11800": null, "customfield_11602": null, "customfield_11802": null, "comment": { "comments": [ { "self": "https://bugs.mojang.com/rest/api/2/issue/495569/comment/1141909", "id": "1141909", "author": "JIRAUSER648376", "body": "*Thank you for your report!*\r\nWe're tracking this issue in *BDS-15528*, so this ticket is being resolved and linked as a *duplicate*.\r\n\r\nIf you would like to add a vote and any extra information to the main ticket it would be appreciated.\r\n\r\nIf you haven't already, you might like to make use of the [*+search feature+*|https://bugs.mojang.com/issues/?jql=project=BDS] to see if the issue has already been mentioned.\r\n\r\n*Quick Links*:\r\n\ud83d\udcd3 [Bug Tracker Guidelines|https://aka.ms/MCBugTrackerHelp] -- \ud83d\udce7 [Mojang Support|https://help.minecraft.net/hc/en-us/requests/new]\r\n\ud83d\udcd3 [Project Summary|https://bugs.mojang.com/projects/BDS/summary] -- \u270d\ufe0f [Feedback and Suggestions|https://feedback.minecraft.net/] -- \ud83d\udcd6 [BDS Wiki|https://minecraft.fandom.com/wiki/Bedrock_Dedicated_Server] -- \ud83d\udcd6 [FAQs|https://help.minecraft.net/hc/en-us/articles/360035131651-Dedicated-Servers-for-Minecraft-on-Bedrock-]", "updateAuthor": "JIRAUSER648376", "created": "2022-02-16T14:50:36.856+0200", "updated": "2022-02-16T14:50:36.856+0200" }, { "self": "https://bugs.mojang.com/rest/api/2/issue/495569/comment/1141918", "id": "1141918", "author": "JIRAUSER580793", "body": "I don't think it is duplicate because this provides 3 more other vulnerability and their replay tools\r\nThese three new vulnerabilities is serious too, and tools provided can help you better solve these problems", "updateAuthor": "JIRAUSER580793", "created": "2022-02-16T15:20:31.356+0200", "updated": "2022-02-16T15:20:31.356+0200" } ], "maxResults": 2, "total": 2, "startAt": 0 }, "votes": { "self": "https://bugs.mojang.com/rest/api/2/issue/BDS-16752/votes", "votes": 0, "hasVoted": false } }, "changelog": { "startAt": 0, "maxResults": 9, "total": 9, "histories": [ { "id": "2524954", "author": "JIRAUSER580793", "created": "2022-02-16T13:34:46.633+0200", "items": [ { "field": "summary", "fieldtype": "jira", "from": null, "fromString": "Several network layer vulnerabilities exist that seriously compromise the security of the BDS server", "to": null, "toString": "Several network layer vulnerabilities exist that seriously harm the security of the BDS server" } ] }, { "id": "2524955", "author": "JIRAUSER580793", "created": "2022-02-16T13:41:24.923+0200", "items": [ { "field": "labels", "fieldtype": "jira", "from": null, "fromString": "", "to": null, "toString": "NetworkPacket bds vulnerability" } ] }, { "id": "2524956", "author": "JIRAUSER580793", "created": "2022-02-16T13:45:15.908+0200", "items": [ { "field": "description", "fieldtype": "jira", "from": null, "fromString": "h2. Introduction of the situation\r\n\r\nRecently, the community received numbers of reports about network attack to BDS servers. After capturing packets and analysis, several serious *vulnerabilities* were found. \r\nNow we know that through sending malicious attack packets, hackers can make the server crash, or cause the main thread jamming.\r\n\r\nSome vulnerability exploitation tools have been *published* to github, and some have been under a large number of public dissemination. These vulnerabilities cause great harm to BDS server operations.\r\nh2. Realms and Netease are under attack\r\n\r\nNot only for BDS servers, these vulnerabilities can also be used to crash *XBox Realms* servers and the Chinese version of the {*}Netease servers{*}. There have been reports of attacks that by scanning the network segment and conducting a bulk attack, hackers can easily cause a large number of Realms servers to crash and restart\r\nh2. Attack replay tools\r\n\r\nSeveral vulnerabilities or their exploits are attached *below* as an attachment. The attack can be reproduced using the provided replay tool. The introduction and usage is packed in this zip file\r\nh2. Possible solution\r\n\r\nI think it will help to solve these problems: \r\nIdentify all incoming packets , and prohibit receiving all packets that are not from the player in the server by checking valid *NetworkIdentifier* or *NetworkHandler::Connection*\r\nAnd then, these replay attacks will never occur any more.\r\n\r\nThe community have been trying to fix these vulnerabilities to protect ourselves for a long time. Some community fixes can be found at [https://github.com/LiteLDev/LiteLoaderBDS/blob/main/LiteLoader/Main/BuiltinBugFix.cpp]\r\n\r\nh2. Advice & Future\r\nCurrently, it is rumored that new vulnerabilities are still being explored and used for attacks. We *urge* Mojang to pay attention to the related issues, review and check the potential safety hazards for the whole network layer (around NetworkHandler and other code about packets)", "to": null, "toString": "h2. Introduction of the situation\r\n\r\nRecently, the community received numbers of reports about network attack to BDS servers. After capturing packets and analysis, several serious *vulnerabilities* were found. \r\nNow we know that through sending malicious attack packets, hackers can make the server crash, or cause the main thread jamming.\r\n\r\nSome vulnerability exploitation tools have been *published* to github, and some have been under a large number of public dissemination. These vulnerabilities cause great harm to BDS server operations.\r\nh2. Realms and Netease are under attack\r\n\r\nNot only for BDS servers, these vulnerabilities can also be used to crash *XBox Realms* servers and the Chinese version of the {*}Netease servers{*}. There have been reports of attacks that by scanning the network segment and conducting a bulk attack, hackers can easily cause a large number of Realms servers to crash and restart\r\nh2. Attack replay tools\r\n\r\nSeveral vulnerabilities or their exploits are attached *below* as an attachment. The attack can be reproduced using the provided replay tool. The introduction and usage is packed in this zip file\r\nh2. Possible solution\r\n\r\nI think it will help to solve these problems: \r\nIdentify all incoming packets , and prohibit receiving all packets that are not from the player in the server by checking valid *NetworkIdentifier* or *NetworkHandler::Connection*\r\nAnd then, these replay attacks will never occur any more.\r\n\r\nThe community have been trying to fix these vulnerabilities to protect ourselves for a long time. Some community fixes can be found at [https://github.com/LiteLDev/LiteLoaderBDS/blob/main/LiteLoader/Main/BuiltinBugFix.cpp]\r\n\r\nh2. Advice & Future\r\nCurrently, it is rumored that new vulnerabilities are still being explored and used for attacks. We *urge* Mojang to pay attention to the related issues, review and check the potential safety hazards for the whole network layer (around NetworkHandler and other code about packets)\r\n\r\nSince the vulnerability has been abused, we hope that it can be fixed *as soon as possible*" } ] }, { "id": "2524963", "author": "JIRAUSER648376", "created": "2022-02-16T14:47:12.710+0200", "items": [ { "field": "resolution", "fieldtype": "jira", "from": null, "fromString": null, "to": "10001", "toString": "Awaiting Response" }, { "field": "status", "fieldtype": "jira", "from": "1", "fromString": "Open", "to": "5", "toString": "Resolved" } ] }, { "id": "2524964", "author": "JIRAUSER648376", "created": "2022-02-16T14:49:07.445+0200", "items": [ { "field": "Comment", "fieldtype": "jira", "from": "Hi\r\n\r\nDoes ticket BDS-15528 describe your issues?\r\n\r\nThis ticket will automatically reopen when you reply.\u00a0", "fromString": null, "to": null, "toString": null } ] }, { "id": "2524965", "author": "JIRAUSER648376", "created": "2022-02-16T14:49:11.267+0200", "items": [ { "field": "resolution", "fieldtype": "jira", "from": "10001", "fromString": "Awaiting Response", "to": null, "toString": null }, { "field": "status", "fieldtype": "jira", "from": "5", "fromString": "Resolved", "to": "4", "toString": "Reopened" } ] }, { "id": "2524966", "author": "JIRAUSER648376", "created": "2022-02-16T14:50:36.860+0200", "items": [ { "field": "Link", "fieldtype": "jira", "from": null, "fromString": null, "to": "BDS-15528", "toString": "This issue duplicates BDS-15528" } ] }, { "id": "2524968", "author": "JIRAUSER648376", "created": "2022-02-16T14:50:36.867+0200", "items": [ { "field": "resolution", "fieldtype": "jira", "from": null, "fromString": null, "to": "3", "toString": "Duplicate" }, { "field": "status", "fieldtype": "jira", "from": "4", "fromString": "Reopened", "to": "5", "toString": "Resolved" } ] }, { "id": "2524995", "author": "JIRAUSER580793", "created": "2022-02-16T15:59:08.691+0200", "items": [ { "field": "Attachment", "fieldtype": "jira", "from": null, "fromString": null, "to": "472560", "toString": "introduction.png" } ] } ] } }