CVE-2022-35978 : Security Advisory and Response
Discover the critical vulnerability in Minetest (<= 5.5.1) allowing Lua sandbox escape. Learn the impact, affected systems, and mitigation steps for CVE-2022-35978.
Minetest, a free open-source voxel game engine, is affected by a vulnerability that allows a Lua sandbox escape from a mod. This vulnerability can be exploited in single player mode to interfere directly with the user's system.
Understanding CVE-2022-35978
This CVE identifies a critical security issue in Minetest related to Lua scripting.
What is CVE-2022-35978?
Minetest, known for its easy modding and game creation capabilities, is impacted by a flaw that enables a Lua sandbox escape. When a mod sets a global setting controlling the Lua script for the main menu, it can interfere with the user's system upon exiting the game session.
The Impact of CVE-2022-35978
The vulnerability's impact is significant, with a CVSSv3.1 base score of 7.7 and a high severity rating due to the potential for integrity compromise and direct interference with user systems.
Technical Details of CVE-2022-35978
This section delves into the specifics of the vulnerability.
Vulnerability Description
The flaw in Minetest allows Lua scripts to escape the sandbox environment, leading to unauthorized system interference without proper isolation.
Affected Systems and Versions
Minetest versions up to and including 5.5.1 are susceptible to this vulnerability, exposing users of these versions to potential exploitation.
Exploitation Mechanism
By manipulating the Lua script loaded through a mod in single player mode, threat actors can execute malicious actions that directly impact the user's system upon exiting the game.
Mitigation and Prevention
To protect systems from CVE-2022-35978, immediate actions and long-term security practices are essential.
Immediate Steps to Take
Users are advised to update Minetest to a patched version, apply security recommendations, and avoid running unknown mods from untrusted sources.
Long-Term Security Practices
Maintaining up-to-date software versions, monitoring security advisories, and practicing secure mod usage can help prevent similar vulnerabilities.
Patching and Updates
Ensure that Minetest is updated to version 5.6.0 or above, where the vulnerability is fixed to mitigate the risk of Lua sandbox escapes.