Catalyst Remote Code Execution Vulnerability on Game Server Nodes

A remote code execution vulnerability has been identified in the Catalyst platform, which is used for managing game server hosts and communities. The issue arises because installation scripts in server templates are executed directly on the host operating system as root, without any sandboxing or containerization. This vulnerability affects all versions of the Catalyst agent.

Impact

Exploitation of this vulnerability allows for full root-level remote code execution on any node machine within the Catalyst cluster.

Reproduction

To reproduce this vulnerability, a user must have 'template.create' permission and either 'admin.write' or 'node access' to create servers. Once these conditions are met, a malicious template can be created with an install script that, when executed, performs unauthorized actions such as exfiltrating sensitive files or downloading and executing additional payloads. After the template is applied to a server, the install script runs as root on the host, providing a foothold for further exploitation.

Remediation

Users are advised to update to the patched version of Catalyst, available in commit 11980aaf3f46315b02777f325ba02c56b110165d.