A serious vulnerability affecting several Nintendo consoles has recently been discovered, with the potential to allow unauthorized access to Switch, 3DS and Wii U via a multitude of online games. It has been reported that Nintendo has been working to patch games for some time to eliminate the exploit known as “ENLBufferPwn”, with several updates already live to remedy the situation (thanks, Everything about Nintendo).
The vulnerability, which has been classified as “Review” on the Common Vulnerability Scoring System (CVSS) and detailed in detail on GitHub by PabloMK7, Rambo6Glazand fishguy6564, would expose a victim’s device to full remote control by simply playing an online game with a potential attacker. This means attackers can access sensitive information or take audio and video recordings by executing code remotely.
The vulnerability was reported to Nintendo in “2021/2022” by @Pablomf6 – who says he received a “bonus” of $1000 via Nintendo HackerOne program – and it’s now understood the company has taken steps to fix the issue in some of the affected games, including Mario Kart 7what was recently updated after more than a decade.
It looks like most of the top Switch titles have already been patched, but it looks like Mario Kart 8 and Splatoon on Wii U have not yet been resolved and may still be affected by the vulnerability.
Here is a list of the titles concerned, in accordance with the GitHub page:
It is speculated that other games could also be affected by the vulnerability, although this is unconfirmed at this time.
For a look at the exploit in action, take a look at the video below from PabloMK7 which shows an attacker (left console) taking remote control of an unmodified 3DS (right side) by copying a return oriented programming (ROP) payload and executing it remotely. The victim console is then forced to run a custom firmware installer and it is believed that the same technique would allow an attacker to steal sensitive information from a remote console. Luckily this has now been fixed and can no longer be done if you are using the latest version of the software, so be sure to update if you haven’t!
Nintendo’s relatively limited approach to online gaming seems to have its advantages when it comes to security issues like this, as pointed out @LuigiBlood discuss the exploit:
Those two games mentioned are Mario Kart 8 and Splatoon, so if you’re still playing any of those titles online on your Wii U, we recommend that you exercise extreme caution or avoid them altogether until that more information is available. We’ll update this article if any more details are revealed.
What do you think ? Share your opinion in the comments below.