Open h1z1 opened 6 years ago
Can you give more details on what you're seeing? The link you posted seems unrelated as it concerns an Android service. At what stage of running SteamVR does the connection happen?
@Plagman - Happens on startup of Steam before the login even appears. I'm assuming when Steam detects a Vive it begins to enable it.
The specific host was to ro.htc.appupdate.url above - http://apu-chin.htc.com and I agree, it should have nothing to do with that as I'm not using an Android nor do I have any other HTC device.
Steam itself runs in a VM and on an isolated vlan. Traffic was captured from the host.
bump? [Feb 14 2018] [Apr 08 2018]
.. or would you prefer CVE's be generated before Valve takes security seriously?
Soooo is Valve going to ever respond to people actually reporting such bugs on Github or do you need them all to be public CVE's before you start caring? Asking for the Internet.
The root cause of this vulnerability is a buffer overflow in one of Steam's many internal libraries —and more specifically in Steam's code that dealt with fragmented UDP datagram reassembly.
Did that update have any impact on the original issue? If not, are you in the US?
How did you install an Android service on CentOS? Also, why did you install it?
@ryao Don't know who that was directed at. I didn't install anything android on CentOS. I'm guessing it's using the same infrastructure as their (HTC) mobile devices.
CheckinProvider.apk Is an Android package.
Indeed, the refereced page and quote were simply documenting where I found the vive software was attempting a connect to:
One of the hosts observed was ro.htc.appupdate.url
Host is now out of Taiwan. Absolutely no mention of HTC.
apu-chin.htc.com has address 60.199.250.32
$ whois 60.199.250.32
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '60.198.0.0 - 60.199.255.255'
% Abuse contact for '60.198.0.0 - 60.199.255.255' is 'hostmaster@twnic.net.tw'
inetnum: 60.198.0.0 - 60.199.255.255
netname: TFN-NET
descr: Taiwan Fixed Network CO.,LTD.
descr: 7FI., No. 498, Ruei-Guang Rd., Nei-Hu
descr: Taipei Taiwan 114
country: TW
admin-c: pNA3-AP
tech-c: pNA3-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-TW-TWNIC
mnt-irt: IRT-TWNIC-AP
mnt-lower: MAINT-TW-TWNIC
last-modified: 2015-12-01T22:33:17Z
source: APNIC
irt: IRT-TWNIC-AP
address: Taipei, Taiwan, 100
e-mail: hostmaster@twnic.net.tw
abuse-mailbox: hostmaster@twnic.net.tw
admin-c: TWA2-AP
tech-c: TWA2-AP
auth: # Filtered
remarks: Please note that TWNIC is not an ISP and is not empowered
remarks: to investigate complaints of network abuse.
mnt-by: MAINT-TW-TWNIC
last-modified: 2015-10-08T07:58:24Z
source: APNIC
role: profond Network Administrator
address: 8F., No.172-1, Sec.2, Ji-Lung Rd,
address: Taipei, Taiwan, 106, R.O.C
country: TW
phone: +886-2-6639-0859
fax-no: +886-2-6639-0859
e-mail: ethanchen@taiwanmobile.com
admin-c: EC648-AP
tech-c: EC648-AP
nic-hdl: pNA3-AP
remarks: The role object should be used when making
remarks: changes to admin-c or tech-c handle.
notify: hostmaster@twnic.net.tw
mnt-by: MAINT-TW-TWNIC
last-modified: 2015-04-22T00:50:45Z
source: APNIC
% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-US4)
Your system information
Steam client version (build number or date): Dec 15 2017
Distribution: CentOS
Opted into Steam client beta?: No
Have you checked for system updates?: Yes
Graphics driver version (run nvidia-settings): 387.34 Tue Nov 21 03:09:00 PST 2017
Gist for SteamVR System Information: NA
Opted into Steam client beta?: No
Opted into SteamVR beta?: Yes
Have you checked for system updates?: Yes
Please describe your issue in as much detail as possible:
I noticed the Vive software and/or Valve calling home to some servers in China. As I'm not in China nor prompted for any access requests, that seemed rather odd. Apparently I'm not the only one to notice either as a bit of searching returns page like this
One of the hosts observed was ro.htc.appupdate.url
Given the climate we continue to live in this really is not acceptable. It's interesting HTC takes a hard stance against any offline install which would preclude the vive from airgapped networks like those in any company with a sane security policy preventing R&D machines from external access.
So why is this necessary when Steam could and should be used? Why is there no disclosure about this on either install or purchase? Note those URLs are over http and completely interceptable.
This isn't the first time the lack of proper security policies has been pointed out to Valve.