CVE-2017-17877

Vulnerability

An issue discovered in Valve Steam Link build 643 exposes the SSH daemon (sshd) to the internet over IPv6 by default when SSH is enabled for local development. The device uses stateless address autoconfiguration (SLAAC) for IPv6, which embeds the 24-bit MAC address suffix (the last 24 bits) into the IPv6 address. Since the MAC vendor prefix (E0:31:9E - Valve) is known, an attacker needs to guess only 24 bits of the MAC address to compute the Steam Link's IPv6 address. The SSH service is bound to all addresses (0.0.0.0 and ::) and is reachable via IPv6 TCP port 22. The root password is set to "steamlink123" by default and is not changed in many deployments [2].

Exploitation

An attacker requires network access to the internet and knowledge of the target's /64 IPv6 prefix (which can be obtained through various enumeration techniques). To exploit the vulnerability, the attacker scans the /64 subnet for TCP port 22 open on addresses derived from the Valve MAC prefix and a guess of the unknown 24 bits. This scanning can be performed with a modified version of ZMap supporting IPv6, taking a few hours at a moderate packet rate (avoiding denial of service to the target's modem/router). Once the Steam Link's IPv6 address is discovered, the attacker connects via SSH as root (root login is permitted by default) and authenticates using the default password "steamlink123" (or a truncated version thereof) [2].

Impact

Successful exploitation gives the attacker root-level shell access to the Steam Link device. With root privileges, the attacker can fully compromise the device, including exfiltration of local data, installation of persistent malware, and use of the device as a pivot point for further network attacks. The attack is particularly severe because it can be performed remotely over the internet without any user interaction and without the user's knowledge (as IPv6 connectivity is often enabled transparently in home networks) [2].

Mitigation

Valve has not released a public patch or fixed version for this issue in the available references. The Steam Link SDK documentation recommends users change the default root password after enabling SSH, but many users may not follow this step [1]. As a workaround, users should disable the SSH daemon if not needed, or change the root password to a strong value immediately after enabling SSH. Additionally, users can block inbound IPv6 traffic to TCP port 22 at the router/firewall level. The device is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [2].