A critical remote code execution (RCE) vulnerability in Minecraft servers, dubbed BleedingPipe, is being exploited by hackers to compromise servers and players' devices. The BleedingPipe vulnerability, tracked as CVE-2021-44228, affects the Log4j library used by Minecraft servers to log events and messages. The flaw allows attackers to execute arbitrary code on the server by sending specially crafted messages that contain malicious Java code.
The BleedingPipe vulnerability was first discovered in March 2022, but it was quickly fixed by mod developers. However, in July 2023, a Forge forum post warned that the vulnerability was being actively exploited by threat actors.
“On July 9, 2023, a Forge forum post was made about a RCE happening live on a server, managing to compromise the server and send the discord credentials of clients, indicating the spread to clients,” explains MMPA's article. “The issue was nailed down to 3 mods; EnderCore, BDLib, and LogisticsPipes. However, this post did not go mainstream, and most were not aware.”
Threat actors were using the vulnerability to steal players' Discord and Steam session cookies. Since then, hackers have been actively scanning for vulnerable Minecraft servers and exploiting them to install backdoors, steal data, launch DDoS attacks, or infect players with malware.
Malicious payloads delivered by the BleedingPipe exploit include
- A Java-based RAT (remote access trojan) that allows attackers to take full control of the compromised server or device.
- A Windows-based RAT that downloads and executes additional malware, such as ransomware, cryptominers, or spyware.
- A Linux-based RAT that targets IoT devices and adds them to a botnet for DDoS attacks.
- A web shell that provides attackers with a web interface to execute commands on the server.
Minecraft Mods where BleedingPipe was found
- LogisticsPipes versions older than 0.10.0.71
- BDLib 1.7 through 1.12
- Smart Moving 1.12
- Advent of Ascension (Nevermine) version 1.12.2
- Astral Sorcery versions 1.9.1 and older
- EnderCore versions below 1.12.2-0.5.77
- JourneyMap versions below 1.16.5-5.7.2
- Minecraft Comes Alive (MCA) versions 1.5.2 through 1.6.4
- RebornCore versions below 4.7.3
- Thaumic Tinkerer versions below 2.3-138
Hackers are actively scanning for Minecraft servers that are vulnerable to the BleedingPipe vulnerability. If your server is running a vulnerable mod, it is important to update the mod or migrate to a fork that has fixed the vulnerability.
The MMPA team has released a mod called PipeBlocker that can help to protect your server from the BleedingPipe vulnerability. PipeBlocker filters ‘ObjectInputSteam' network traffic, which is the type of traffic that is used to exploit the vulnerability.
If you are not sure if your server is vulnerable, you can use the jNeedle scanners to check for suspicious file additions. These scanners can help you to identify any mods that have been modified to exploit the BleedingPipe vulnerability.