Impact
Q2PRO server before version r3220 is vulnerable to remote denial of service attack. If malicious client executes begin command while server is showing static picture or cinematic, server will crash with game error.
Q2PRO server before version r3647 is vulnerable to another kind of remote denial of service attack. Malicios client may execute nextserver command twice with crafted spawncount value while server is showing static picture or cinematic, which would result in server being killed.
Only coop servers are expected to show pictures or cinematics, regular deathmatch servers are not affected.
Patches
The first problem has been patched in version r3220. The second problem has been patched in version r3647. It is recommended for coop server operators to update to version r3647 or later.
Workarounds
Cinematics can be disabled by setting sv_cinematics variable to 0. There's no way to prevent the server from showing static pictures.
References
Fixed by 3358610 and 318bf10.
Impact
Q2PRO server before version r3220 is vulnerable to remote denial of service attack. If malicious client executes
begincommand while server is showing static picture or cinematic, server will crash with game error.Q2PRO server before version r3647 is vulnerable to another kind of remote denial of service attack. Malicios client may execute
nextservercommand twice with craftedspawncountvalue while server is showing static picture or cinematic, which would result in server being killed.Only coop servers are expected to show pictures or cinematics, regular deathmatch servers are not affected.
Patches
The first problem has been patched in version r3220. The second problem has been patched in version r3647. It is recommended for coop server operators to update to version r3647 or later.
Workarounds
Cinematics can be disabled by setting
sv_cinematicsvariable to 0. There's no way to prevent the server from showing static pictures.References
Fixed by 3358610 and 318bf10.