Heads-Up, Nintendo Is Scrambling To Patch Major Security Flaws In These Popular Games
First found in Mario Kart 7 for the Nintendo 3DS the vulnerability is known as ENLBufferPwn. ENLBufferPwn allows a remote attacker to execute code on a 3DS or potentially a Nintendo Switch by exploiting two functions in the code for the games, Add and Set.
The functions in question receive network buffer information from other players, this is usually information such as track position, possibly the speed of the player so graphics can display the opponent properly, and so on. Unfortunately though, neither of the functions actually check the size of the network buffer on the incoming data. Because of this, a false network buffer can be put into the code being sent and in turn create buffer overflow allowing remote code execution.
Yoshi in Mario Kart 7
This lack of checks is particularly severe in that all that is necessary to execute this remote attack is for the attacker to just be in the same game session as the victim. The full details on the attack were recently published in a GitHub by PabloMK7, a developer of a mod pack for Mario Kart 7 for the Nintendo 3DS.
Nintendo allowed publication of the details after they have already patched a number of titles. Those titles that have been patched so far are as follows.
- Mario Kart 7 (fixed in v1.2)
- Mario Kart 8 Deluxe (fixed in v2.1.0)
- Animal Crossing: New Horizons (fixed in v2.0.6)
- ARMS (fixed in v5.4.1)
- Splatoon 2 (fixed in v5.5.1)
- Splatoon 3 (fixed in late 2022, exact version unknown)
- Super Mario Maker 2 (fixed in v3.0.2)
- Nintendo Switch Sports (fixed in late 2022, exact version unknown)
Splatoon 3 Screenshot
PabloMK7 pointed out that there are likely many other titles impacted by this vulnerability. It does look like Nintendo is taking into consideration games that it doesn't necessarily directly support anymore though, based on the list above. However Splatoon's first release and Mario Kart 8 (non-deluxe) still remain unpatched. Hopefully that will change and more get patched soon.