Author Topic: Major Security Vulnerability Disclosed In Multiple Nintendo Games  (Read 1095 times)

0 Members and 1 Guest are viewing this topic.

Offline Shaymin

  • Not my circus, not my monkeys
  • NWR Staff
  • Score: 70
    • View Profile
    • You're on it

That explains all those updates we've been getting this year.

http://www.nintendoworldreport.com/news/62471/major-security-vulnerability-disclosed-in-multiple-nintendo-games

Some older Nintendo games have been found to have security holes that can be exploited by simply playing online.

The "ENLBufferPwn" exploit, rated as a 9.8 / 10 (Critical) on the Common Vulnerability Scoring System (CVSS) scale, has been found in older Nintendo games dating back to Mario Kart 7 and can allow for a full takeover of the system by a third party. Potential uses include accessing saved payment information and using the 3DS and Wii U GamePad's built-in cameras and microphone to capture audio and video.

The vulnerability utilizes a "buffer overflow" attack as the affected games did not specify a limit to the amount of data that is sent in a game session; this is nominally some player data (such as a player's Mii in Mario Kart 7) but the lack of a limit could allow for a full takeover of the system - even without visible detection from the victim.

The vulnerability report shows the following games affected but warns that other first party titles could be involved:

  • 3DS: Mario Kart 7
  • Wii U: Splatoon, Mario Kart 8
  • Switch: Mario Kart 8 Deluxe, ARMS, Splatoon 2 / 3, Super Mario Maker 2, Animal Crossing: New Horizons, Nintendo Switch Sports

Mario Kart 7 recently received its first patch in over a decade to patch the issue, and the Switch titles have either been patched out-of-cycle or had the fix included in other feature updates. However, the Wii U games have not been patched as of press time, and it is not known if they will. The patch system of the 3DS, which requires downloading them from the eShop, also means that other vulnerable titles may not be fixed prior to the closure of the 3DS and Wii U eShops in February March.

Nintendo was notified of the vulnerability by the discovering parties prior to the disclosure through a bug bounty program, which allowed for the existing patches to be programmed.

Donald Theriault - News Editor, Nintendo World Report / 2016 Nintendo World Champion
Tutorial box out.

Offline pokepal148

  • Inquire within for reasonable rates.
  • *
  • Score: -9967
    • View Profile
Re: Major Security Vulnerability Disclosed In Multiple Nintendo Games
« Reply #1 on: December 24, 2022, 11:05:34 AM »
The only precedent for patches on previous nintendo eshops continuing to host patches is the Skyward Sword save channel on the Wii shop channel which I believe can still be downloaded for the first time today so there is some signs of encouragement there.

Offline M.K.Ultra

  • is late to the party
  • *
  • Score: 15
    • View Profile
    • Games I'm Playing
Re: Major Security Vulnerability Disclosed In Multiple Nintendo Games
« Reply #2 on: December 24, 2022, 11:15:14 AM »
I don't expect them to support online play for Splatoon 1 for very much longer since 3 is out. Same with MK8 on Wii U. Mario Maker might get support for a little longer that those two.

Offline Shaymin

  • Not my circus, not my monkeys
  • NWR Staff
  • Score: 70
    • View Profile
    • You're on it
Re: Major Security Vulnerability Disclosed In Multiple Nintendo Games
« Reply #3 on: December 24, 2022, 02:13:41 PM »
Mario Maker already lost online support, so I'm honestly surprised that they haven't taken the OG Splatoon and MK8 down.
Donald Theriault - News Editor, Nintendo World Report / 2016 Nintendo World Champion
Tutorial box out.

Offline ThePerm

  • predicted it first.
  • Score: 64
    • View Profile
Re: Major Security Vulnerability Disclosed In Multiple Nintendo Games
« Reply #4 on: December 24, 2022, 02:52:45 PM »
I solved this problem by keeping my Wii U unplugged for the last 2 years
NWR has permission to use any tentative mockup/artwork I post