Recently, a serious security flaw was discovered in various Nintendo devices such as the Switch, 3DS, and Wii U that could allow unauthorized access through a range of online games.
Nintendo’s Attempt to Patch the Games
According to reports, Nintendo has been attempting to patch games to remove the ‘ENLBufferPwn’ exploit.
Several updates have already gone live in order to take care of the issue (as reported by Nintendo Everything).
Vulnerability Declared Critical by CVSS
Classified as ‘Critical’ on the Common Vulnerability Scoring System (CVSS) and detailed on GitHub by PabloMK7, Rambo6Glaz, and Fishguy6564, the vulnerability puts a victim at risk of having their device completely controlled from a distance by merely playing an online game with a possible attacker.
By remotely executing code, attackers may access sensitive information or record audio and video without your knowledge.
In “2021/2022”, the vulnerability was reported to Nintendo by @Pablomf6, who stated they had been awarded a $1000 reward from Nintendo’s HackerOne program.
Nintendo has taken action to correct the issue in some of the games involved, including Mario Kart 7 which received an update after over 10 years.
Titles That Have Been Impacted
Although many of the popular Switch titles have been patched for security, it seems like Mario Kart 8 and Splatoon on Wii U have still not been fixed and might still be vulnerable.
According to the GitHub page, here’s a list of titles that have been impacted:
- Mario Kart 7 (fixed in v1.2)
- Mario Kart 8
- Mario Kart 8 Deluxe (fixed in v2.1.0)
- Animal Crossing: New Horizons (fixed in v2.0.6)
- ARMS (fixed in v5.4.1)
- Splatoon
- Splatoon 2 (fixed in v5.5.1)
- Splatoon 3 (fixed in late 2022, exact version unknown)
- Super Mario Maker 2 (fixed in v3.0.2)
- Nintendo Switch Sports (fixed in late 2022, exact version unknown)
There is speculation that other games may be affected by the same vulnerability, but there is no confirmation of this yet.
Being on an Old Version May Make You Vulnerable to Attacks.
To see this exploit in action, watch the below video from PabloMK7. The clip shows an attacker (left console) copying a return-oriented programming (ROP) payload and executing it on an unmodified 3DS (the right kind).
Following this, the target console is then made to run a personalized firmware installer, and it is believed that the same method can be used to seize confidential data from a remote device.
Fortunately, if you’re running the up-to-date version of the software this attack is no longer possible, so make sure to update if you haven’t already!
Nintendo’s more restrictive approach to online play has helped prevent security issues such as this exploit, as @LuigiBlood noted:
Mario Kart 8 and Splatoon May Have Security Issues
Mario Kart 8 and Splatoon, the two games mentioned above, may have online security issues on the Wii U.
To be safe, we suggest either exercising caution or avoiding them completely until additional information is released. We’ll update this article if more news surfaces.
What do you think about this vulnerability? Tell us about in the comments section below.