asie 28 Posted July 7, 2023 Share Posted July 7, 2023 A security and bugfix release of OpenComputers, version 1.8.3, has been released for Minecraft 1.7.10 and 1.12.2. It should be available on major mod distribution platforms within about an hour (this post will be updated accordingly): Modrinth: Download CurseForge: Download GitHub: 1.7.10, 1.12.2 This version contains a proper fix for CVE-2023-37261: SSRF to cloud (f.e. AWS, GCP, Azure) service metadata services (IMDS) and local IPv6 addresses not blocked by default, as well as enhancements to the Internet Card's connection filtering system. As such, upgrading to this version is considered essential in particular for server administrators. Special thanks to Jonathan Leitschuh for bringing this issue to our attention. A detailed write-up about the vulnerability can be found at this link - what follows is a simplified explanation. The vulnerability concerns omissions in OpenComputers's packet filtering rules, in particular: The list of "local" IPv4 addresses blocked in OpenComputers by default was incomplete, and did not cover many regions which do not belong to the public Internet, including typical metadata addresses used by cloud services. OpenComputers's Internet Card featured no IPv6 address filtering mechanism whatsoever. These two omissions allow an attacker to make HTTP and TCP requests on the server's local network (be it through the non-blocked IPv4 addresses or through IPv6 addresses) using a Computer with an Internet Card. Depending on the hosting provider used, other services available on the private network, and any potential other vulnerabilities, this can be used as a launching point for retrieving sensitive exploitation or probingThis issue affects every version of OpenComputers with an Internet Card. This includes versions for Minecraft 1.6.x, 1.8.9, 1.10.2 and 1.11.2, for which we cannot currently release satisfactory updated versions due to tooling limitations and time constraints. The best solution is to update the mod to OpenComputers 1.8.3, if possible in your situation (you control the modpack and are on a supported Minecraft version). Users of the "GregTech: New Horizons" modpack will receive an update separately and are advised to follow the modpack's announcements. Other than that, here is a list of alternative mitigations that do not require an update: (If you're using OpenComputers 1.2.x, please update. That version has many more long-patched holes.) Using the allow list ("internet.whitelist") to explicitly list allowed domains and IPs. Disabling the Internet Card completely. Adding the following entries to the block list ("internet.blacklist" option) - Note that "224.0.0.0/3" has a side effect of blocking all IPv6 accesses, due to the way IPv6 address handling is implemented in OpenComputers >= 1.3.0, <= 1.8.2: "100.64.0.0/10", "169.254.0.0/16", "192.0.0.0/24", "192.0.2.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/3" Quote Link to post Share on other sites
