Cybersecurity · · 2 min read

BleedingPipe: A Deep Dive into the Minecraft Mods Vulnerability

BleedingPipe: A Deep Dive into the Minecraft Mods Vulnerability

As the landscape of gaming continues to expand and diversify, the specter of security threats looms larger. A recent vulnerability, aptly named "BleedingPipe", has emerged as a significant concern within the Minecraft community. This exploit, already active in the wild, impacts a range of popular Minecraft mods, potentially compromising the security of both clients and servers. In this blog post, we aim to shed light on this issue and answer two pressing questions: Is it safe to play Minecraft right now? And what version of Minecraft is vulnerable?

The BleedingPipe Vulnerability: An Overview

BleedingPipe is a Remote Code Execution (RCE) vulnerability that has been exploited in the wild, affecting Minecraft mods, particularly those running on versions 1.7.10 and 1.12.2 of Forge. This exploit allows for full remote code execution on both clients and servers, posing a significant threat to Minecraft players and server administrators alike.

The vulnerability lies not in Forge itself, but in mods using unsafe deserialization code. The known affected mods include EnderCore, LogisticsPipes, BDLib, Smart Moving 1.12, Brazier, DankNull, and Gadomancy. However, it's important to note that other versions of Minecraft could also be affected if an affected mod is installed.

Technical Details: Unraveling the BleedingPipe Vulnerability

At its core, the BleedingPipe vulnerability is a well-known issue with deserialization using ObjectInputStream. The affected mods used ObjectInputStream (OIS) for networking code, which allowed packets with malicious serialization to be sent. This opened the door for anything to be run on the server, which could then be used on the server to do the same thing to all clients, thereby infecting all clients with the server in reverse.

This vulnerability is not a new phenomenon in the Java community and is generally referred to as a deserialization attack or gadget chain. However, the scale of its impact within the Minecraft community is unprecedented.

If you are a mod developer and use ObjectInputStream, it's recommended to switch to another safe serializer or create your own. This can help prevent similar vulnerabilities from being exploited in the future.

Is It Safe to Play Minecraft Right Now?

The safety of playing Minecraft currently hinges on the mods and versions you're using. If you're using any of the affected mods on the vulnerable versions, it may not be safe. However, if you're playing on a version that isn't affected or if you've updated your mods to the latest versions, it should be safe.

As a player, it's recommended to check for suspicious files, perform an antivirus scan, and do a scan on your .minecraft directory with a tool like jSus or jNeedle. If you don’t play on servers, you are not affected.

What Version of Minecraft is Vulnerable?

The versions 1.7.10 and 1.12.2 of Minecraft are known to be vulnerable, especially if they have the affected mods installed. Other versions could also be affected if an affected mod is installed.

Mitigating the Risk

To mitigate the risk, players and server admins should update to the latest versions of EnderIO or LogisticsPipes on CurseForge. If you have BDLib, it's recommended to migrate to the GT New Horizons fork if possible. Installing the mod PipeBlocker on both forge servers and clients can also help mitigate the risk.

In Conclusion

The BleedingPipe vulnerability underscores the intricate interplay between gaming and cybersecurity. It's a stark reminder that even in the realm of pixels and virtual landscapes, real-world risks persist. As we navigate the digital terrain of Minecraft, staying informed and vigilant is our best defense. By updating mods, scanning for suspicious files, and understanding the nature of the threats we face, users can continue to mine, build, and explore with peace of mind.

Read next