The team logo
Daily Brief Changelog
v0.7

Article Details

Scrape Timestamp (UTC): 2024-03-28 15:37:18.282

Source: https://www.theregister.com/2024/03/28/nvidia_chatrtx_security_flaws/

Original Article Text

Click to Toggle View

Nvidia's newborn ChatRTX bot patched for security bugs. Flaws enable privilege escalation and remote code execution. Nvidia's AI-powered ChatRTX app launched just six week ago but already has received patches for two security vulnerabilities that enabled attack vectors, including privilege escalation and remote code execution. ChatRTX, formerly known as Chat with RTX, was launched in February to provide Nvidia GPU owners with an AI chatbot that could run locally on RTX 30 and 40-series hardware with at least 8 GB of VRAM. While this solution couldn't promise as much power as a cloud-based alternative, being able to run it locally has been an upside for early users. One of the downsides for users of earlier versions was that it harbored two security bugs designated CVE‑2024‑0082 and CVE‑2024‑0083. These flaws existed in all versions of ChatRTX up to version 0.2. The latter is rated at a medium severity level of 6.5, while the former is an 8.2 high-level problem. CVE‑2024‑0083 could allow attackers to perform denial of service attacks, steal data, and even perform remote code execution (RCE). A score of 6.5 for these issues is relatively tame, and many others can score more than 9 points or even the maximum 10 out of 10 in the case of the Atlassian Confluence RCE exploit. The other vulnerability, CVE‑2024‑0082, enables data stealing (again), data tampering, and even privilege escalation. This issue may have warranted the higher severity score since privilege escalation can render a computer totally open to intrusion. RCE combined with privilege escalation could prove potent combo as well. Nvidia says it's possible via open file requests and by causing cross-site scripting errors that then allows browser scripts to be run. It's unknown if anyone was actually compromised thanks to these ChatRTX bugs. We have reached out to Nvidia for comment and will update when we hear back. All users have to do is update to ChatRTX version 0.2. Confusingly, Nvidia warns that "the version numbers of the last affected version and the updated version are both 0.2" so maybe just completely reinstall ChatRTX to be safe.

Daily Brief Summary

CYBERCRIME // Nvidia ChatRTX AI Bot Receives Critical Security Vulnerability Patches

Nvidia's ChatRTX AI application received updates to patch two serious security vulnerabilities.

The flaws, identified as CVE‑2024‑0082 and CVE‑2024‑0083, allowed for privilege escalation and remote code execution.

These vulnerabilities affected all versions of ChatRTX up to version 0.2, which runs on local Nvidia GPU hardware.

CVE‑2024‑0083, with a medium severity rating, could lead to denial of service attacks, data theft, and RCE.

CVE‑2024‑0082, considered a high-level threat, enabled data theft, data tampering, and privilege escalation.

Although these issues are serious, with CVE‑2024‑0083 allowing for RCE and CVE‑2024‑0082 for privilege escalation, no known exploitations have been reported as of yet.

Users are advised to update their ChatRTX app to version 0.2, with Nvidia noting a confusing overlap in version numbers between the affected and updated versions.

To ensure safety, a full reinstallation of ChatRTX might be recommended due to the version number confusion.