Background
GameStream authenticates client and server using both client and server certificates and certificate pinning on both sides. The pinned certificates are established during an initial pairing process. This pairing process uses a secret PIN generated by the client that is salted and used to derive an AES key. The salt is then sent to the server. If the PIN is entered correctly on the server, the same key will be derived using the client's salt and the systems will exchange certificate data with each other to pin each others' certificates.
Unfortunately, on the affected Moonlight iOS/tvOS clients, the PIN itself was concatenated to the end of the salt value. It was supposed to be concatenated later when deriving the AES key, but was incorrectly appended too early in the pairing process. As a result, the secret PIN, encoded as hex bytes of ASCII, was leaked to the target PC.
Impact
With the PIN leaked with the pairing request itself, it would be possible for an attacker who can temporarily man-in-the-middle the pairing process to fool a victim into pairing to an attacker controlled server which would then proxy the pairing request to the intended host. With such a setup, the attacker would be able to steal each stream's client-generated encryption keys which are exchanged over the HTTPS connection using the fraudulent certificate pinned during the pairing process.
The window for achieving a man-in-the-middle attack is small, because pairing is a one time process. However, if an attacker can exploit this small window, they can manipulate the exchanged host data to ensure the victim will always attempt to connect to the attacker's proxy server, even after leaving the attacker-controlled network.
Patches
The bug has been fixed in Moonlight v4.0.1 for iOS and tvOS. These or later versions have been live on the Apple App Store for several days, so users with automatic app updates enabled should have already received the fix.
Users that paired over potentially insecure networks should delete their PC from Moonlight and pair again after patching.
All other official and popular unofficial clients were audited and found to not be vulnerable: Moonlight Qt, Moonlight Android, Moonlight ChromeOS, Moonlight Embedded, and Moonlight Vita.
Workarounds
None, though risk can be mitigated somewhat by pairing over a known secure network.
References
For more information
If you have any questions or comments about this advisory:
Background
GameStream authenticates client and server using both client and server certificates and certificate pinning on both sides. The pinned certificates are established during an initial pairing process. This pairing process uses a secret PIN generated by the client that is salted and used to derive an AES key. The salt is then sent to the server. If the PIN is entered correctly on the server, the same key will be derived using the client's salt and the systems will exchange certificate data with each other to pin each others' certificates.
Unfortunately, on the affected Moonlight iOS/tvOS clients, the PIN itself was concatenated to the end of the salt value. It was supposed to be concatenated later when deriving the AES key, but was incorrectly appended too early in the pairing process. As a result, the secret PIN, encoded as hex bytes of ASCII, was leaked to the target PC.
Impact
With the PIN leaked with the pairing request itself, it would be possible for an attacker who can temporarily man-in-the-middle the pairing process to fool a victim into pairing to an attacker controlled server which would then proxy the pairing request to the intended host. With such a setup, the attacker would be able to steal each stream's client-generated encryption keys which are exchanged over the HTTPS connection using the fraudulent certificate pinned during the pairing process.
The window for achieving a man-in-the-middle attack is small, because pairing is a one time process. However, if an attacker can exploit this small window, they can manipulate the exchanged host data to ensure the victim will always attempt to connect to the attacker's proxy server, even after leaving the attacker-controlled network.
Patches
The bug has been fixed in Moonlight v4.0.1 for iOS and tvOS. These or later versions have been live on the Apple App Store for several days, so users with automatic app updates enabled should have already received the fix.
Users that paired over potentially insecure networks should delete their PC from Moonlight and pair again after patching.
All other official and popular unofficial clients were audited and found to not be vulnerable: Moonlight Qt, Moonlight Android, Moonlight ChromeOS, Moonlight Embedded, and Moonlight Vita.
Workarounds
None, though risk can be mitigated somewhat by pairing over a known secure network.
References
For more information
If you have any questions or comments about this advisory: