Insecure Update Mechanism in Tencent GameLoop Affects User Systems
CVE-2021-33879

8.1HIGH

Key Information:

Vendor

Tencent

Status
Gameloop
Vendor
CVE Published:
6 June 2021

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2021-33879?

Tencent GameLoop versions before 4.1.21.90 expose users to a serious security risk through an insecure update mechanism. By downloading updates over an unencrypted HTTP connection, the software can be manipulated by an attacker in a Man-In-The-Middle (MITM) position. This exploitation allows the attacker to alter the contents of an update package's XML document, potentially redirecting users to download malicious executables. The reliance solely on MD5 checksum validation for integrity checks further compounds the risk, leading to unauthorized code execution on the victim's device.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2021-33879
Created by mmiszczyk

References

https://www.gameloop.com
x_refsource_MISC
https://github.com/mmiszczyk/cve-2021-33879
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.