We have identified a security vulnerability that may allow a malicious actor to remotely control affected servers.
This vulnerability does not permit remote access to, or control of the underlying host machine or operating system.
If you are renting a server from a game hosting provider, we strongly recommend opening a support ticket and referencing this wiki article. As a customer, you will not be able to remediate this issue on your own.
An attacker exploiting this vulnerability may be able to perform the following actions without any prior auth:
At this time, there are two known methods to prevent exploitation:
Notice: If you pick either method you must use
DSSettings.txtas explained in configuration or your server will never load a save file.
7777 (or whichever value is defined by your Port parameter).This mitigation is effective as the server only requires UDP traffic for normal operation.
(Thanks to Sara for identifying this parameter)
-RCWebControlDisable and -RCWebInterfaceDisableWe recommend applying one of the above mitigations immediately (or both) to reduce the risk of unauthorized access.
CreepyJar have been made aware of this vulnerability and have been sent proof of concept code, pleae do not pester the CreepyJar staff regarding this.