Dota 2 high severity flaw exploited in game mode

February 22, 2023 - TuxCare PR Team

A game mode in Dota 2 exploited a high-severity vulnerability, allowing attackers to remotely execute code on the targeted system. The flaw was discovered in September 2022, but it went unpatched until January 2023, leaving Dota 2 players vulnerable to attacks.

The bug was discovered in the game’s custom game mode feature, which allows players to create their own Dota 2 games. A flaw in the custom game mode code allowed an attacker to execute arbitrary code on the targeted system, resulting in the vulnerability.

The vulnerability, CVE-2021-38003, was discovered in Google’s open source JavaScript engine V8, which is included in Dota 2. Although Google patched the vulnerability in October 2021, Dota 2 developer Valve didn’t update its software to use the patched V8 engine until last month, after researchers privately alerted the company to the critical vulnerability.

Avast researchers discovered the problem and reported it to Valve, the game’s developer. Valve immediately updated the game’s code to a new (patched) version of V8, and the rogue game mods were removed from its Steam online store. According to Avast, the gaming company also notified the small number of users who downloaded the backdoor about the issue and implemented unspecified “other measures” to reduce Dota 2’s attack surface.

“Overthrow II” was the game mode that exploited the vulnerability. The game mode was available on the Steam Workshop, a platform where players can share custom game modes with others. The game mode was downloaded by over 2,500 players and remained available on the Steam Workshop until January 2023, when it was removed by Valve.

The person who uploaded the code to Valve’s Steam store made use of the fact that Dota 2 allows players to customize the game in a variety of ways. According to Avast, Dota’s game engine allows anyone with even basic programming skills to create custom items such as wearables, loading screens, chat emojis, and even entire custom game modes or new games. They can then upload those custom items to the Steam store, which checks them for inappropriate content before making them available for other players to download and use.

Valve, the company behind Dota 2, addressed the vulnerability with a security update in January 2023. To protect themselves from potential attacks, the company advised Dota 2 players to update their game to the latest version as soon as possible.

The incident serves as a reminder that even well-known games are susceptible to security flaws, emphasizing the importance of timely patching and updates. Players should always update their games and avoid downloading custom game modes from untrustworthy sources.

The sources for this piece include an article in ArsTechnica.

Summary