Nintendo Switch game news: We avoided the worst
Published on 29/12/2022 at 12:22
Dreaded by many players, a security breach affecting several games on Nintendo Switch, among others, has just been publicly revealed. A major breach that could have turned into a nightmare for the Japanese firm if it had not been flushed out in time. That explains some of the somewhat curious updates of the past few days.
An update that explains everything
A few days ago, our columns mentioned a strange update for Mario Kart 7, the cult episode on Nintendo 3DS, almost 11 years after its release. Without further details from Nintendo, this patch simply describes that “several issues have been resolved to improve the gameplay experience”. In the continuity of the last update of 2012, the first hypotheses evoke the correction of certain glitches or perhaps the resolution of certain problems following the porting of the circuits within the DLC of Mario Kart 8 Deluxe.
In reality, none of that since it was mainly a question of countering a hidden security flaw in the game and called “ENLBufferPwn”. According to CVSS (Common Vulnerability Scoring System), a system responsible for evaluating the criticality of vulnerabilities, this security flaw reaches the score of 9.8/10, which is far from trivial.
Several Nintendo games impacted
We therefore understand better why Nintendo is on the alert regarding this case. In effect, such a security breach can allow some malicious people to infiltrate your console during an online gaming session to take control and steal sensitive personal informationall without you even realizing anything.
This flaw was spotted by a certain PabloMK7, among others, before being reported to the Japanese manufacturer and being relayed on his Twitter account.
Here is ENLBufferPwn (CVE ID pending), a severe vulnerability in many first party 3DS, Wii U and Switch games. It allows remote code execution in a victim console by just having an online game session with an attacker.
Vulnerability report: https://t.co/QbvXKQLeDf
— PaulMK7 (@Pablomf6) December 24, 2022
Here is ENLBufferPwn (CVE ID pending), a severe vulnerability in many 3DS, Wii U and Switch games. It allows remote code execution via a victim console by simply having an online gaming session with a hacker.
Combined with other OS exploits, this vulnerability could allow an attacker to gain complete control of the console, and steal sensitive information or take audio/video recordings. It scored 9.8/10 (Critical) in the CVSS 3.1 calculator.
Nintendo released patches for affected games in 2022. A list of games known to have had the vulnerability at some point can be found in the vulnerability report.
The vulnerability was safely reported by Pablomf6, Rambo6Glaz, and fishguy6564 independently in 2021/2022 through Nintendo’s HackerOne program. In my case (I found her in Mario Kart 7), I got a $1000 bounty.
I would also like to thank Nintendo for giving me the opportunity to collaborate in the discovery and investigation of this vulnerability, and for mobilizing the resources necessary to fix it in older titles. I hope these actions have helped create a safer online gambling environment.
Moreover, as this publication states, the Nintendo Switch is not the only console affected by this vulnerability which also affects the 3DS and the Wii U. But in the face of such a security threat, Nintendo quickly took the lead in rolling out a series of several updates and putting together an initial list of all affected games (which you can find in the box below).
At the time of writing these few lines, we do not know if the updates in question will also concern the Wii U versions, while we strongly advise you to update all other aforementioned games on this list.
About the Nintendo Switch