Hackers have been actively exploiting the ‘BleedingPipe’ vulnerability in Minecraft mods, which allows them to execute malicious commands on both servers and clients, granting them control over the devices.
The vulnerability arises from incorrect deserialization in the ‘ObjectInputStream’ class in Java, used for exchanging network packets between servers and clients.
Attackers craft special network packets and target vulnerable Minecraft mod servers, taking over these servers and using them to exploit the same flaws in Minecraft mods used by players, thereby installing malware on players’ devices.
A recent report from the Minecraft security community (MMPA) reveals that the BleedingPipe flaw affects numerous Minecraft mods running on 1.7.10/1.12.2 Forge, exposing the community to potential exploitation. While the issue first surfaced in March 2022, it was quickly addressed by mod developers.
However, this month, a Forge forum post raised concerns about widespread active exploitation using an undisclosed zero-day remote code execution (RCE) to pilfer players’ Discord and Steam session cookies. Despite the involvement of specific mods like EnderCore, BDLib, and LogisticsPipes, the full list of impacted mods is not exhaustive, with many others potentially at risk.
MMPA reports that threat actors are actively scanning the internet for vulnerable Minecraft servers to exploit the BleedingPipe flaw, making it essential for server administrators to promptly fix any susceptible mods. Users are advised to download the latest versions of impacted mods from official release channels or switch to secure forks with the necessary fixes. Additionally, the MMPA team has introduced the ‘PipeBlocker’ mod to safeguard forge servers and clients by filtering ‘ObjectInputStream’ network traffic.
To further protect against potential compromises, server administrators should use the ‘jSus’ or ‘jNeedle’ scanners to check for suspicious file additions, while players using vulnerable mods should conduct similar scans on their mod directories. Desktop users should run antivirus scans to detect malicious executables installed on their systems.