CVE-2018-10531

Vulnerability

The America's Army Proving Grounds platform, built on the Unreal Engine, contains a UDP amplification vulnerability. When the server receives a crafted UDP packet with a spoofed source IP, it responds with a larger payload, resulting in traffic amplification. The affected versions are those of the America's Army Proving Grounds game server prior to any patch (no fixed version disclosed). [2]

Exploitation

An attacker can send a small UDP packet to the game server with a forged source IP address (the victim's IP). The server then sends a larger response to that spoofed IP, amplifying the traffic. No authentication or special privileges are required; the attacker only needs network access to the server. [2]

Impact

Successful exploitation allows an attacker to amplify network traffic, potentially causing denial of service (DoS) on the victim's network. This can be leveraged in distributed denial-of-service (DDoS) attacks, overwhelming the target's bandwidth. The amplification factor is significant enough to cause network congestion. [2]

Mitigation

As of the publication date (2019-07-10), no official patch or mitigation has been released by the US Army or Epic Games (Unreal Engine). The vulnerability was disclosed to Mitre and Nist, but no response from the vendor was received. Network administrators may consider filtering UDP traffic to the game server or implementing rate limiting as a workaround. [2]