Minecraft players and those who run Minecraft servers face a new and dangerous security vulnerability, which could allow bad actors to run remote code on their computers. Dubbed as ‘BleedingPipe,’ by a user group called MMPA (Minecraft Malware Prevention Alliance), the exploit uses Java deserialization to infect servers or clients that have one of many popular mods installed.
The number of vulnerable Minecraft mods is extensive. A German goes by Dogboy21 on GitHub has identified three dozen popular mods that have the vulnerability, ranging from AetherCraft to Immersive Armors to ttCore Dogboy21’s Github page also has a patch to fix the problem, which involves getting a new JAR file to put into your mods folder. The MMPA’s blog post lists even more mods that are affected and claims that, specifically, 1.7.10 and 1.12.2 version modpacks are those that are vulnerable.
BleedingPipe works by taking advantage of a problem with the ObjectInputStream class in Java. A hacker can feed data to the server with code that does something malicious, and then, when the server receives the code and “deserializes” it, that code gets executed on the server side. Similarly, if the server itself is infected, it could feed binary data back to a client (a player) whose PC deserializes it locally and executes the code.
If a threat actor is able to execute code on either the server or client side, the possibilities are nearly endless. They could find ways to exfiltrate your user data and use it for identity theft or could take over your computer and use it for Botnet attacks on other systems.
According to the MMPA, a threat actor has scanned all Minecraft servers on the IPv4 address space and may have deployed a malicious payload to them. So, any server running an affected mod could be infected.
BleedingPipe is similar to another recently-discovered exploit within Log4j, a Java logging library. Minecraft.net, an official Microsoft site, has a warning up along with mitigations for the Log4j vulnerability.
MMPA recommends checking for infected files in yours .minecraft directory, using a scanner such as JSus or jNeedle. Dogboy21 recommends downloading his patch if you are using any of the mods.