A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and CVE-2024-0083) that could allow attackers to execute malicious code and tamper with data on affected systems.
The vulnerabilities stem from improper input validation (CWE-20) and improper privilege management (CWE-269) practices, where attackers could potentially trick the system into running unintended code or gain access to unauthorized data.
The Common Vulnerability Scoring System (CVSS v3.1) assigns a high-risk severity score (8.2) to these vulnerabilities, highlighting the importance of updating to the latest version of ChatRTX to mitigate these risks.
An attacker can exploit a vulnerability in NVIDIA ChatRTX for Windows to potentially escalate their privileges, leak sensitive information, or tamper with data on a vulnerable system.
Sending specially crafted open file requests can trigger this vulnerability, which is present in the application’s user interface (UI). The exploitability of this vulnerability is rated as low complexity, which can be easily carried out.
It also requires low privileges on the attacker’s part, further increasing the exploitability wherever a successful exploit could result in a complete compromise of the system, as the attacker would gain full control, reads the advisory.
The vulnerability has a high potential impact due to the severity of the potential consequences and the overall severity rating of this vulnerability is also high (8.2), which falls under CWE-269, a category of weaknesses known as improper privilege management.
A critical vulnerability (CVE-2024-0083) exists in NVIDIA ChatRTX for Windows that allows attackers to inject malicious scripts into users’ browsers via a cross-site scripting (XSS) flaw in the UI.
It could potentially enable attackers to execute arbitrary code on the victim’s machine, cause denial-of-service by crashing the application, or steal sensitive information.
The vulnerability is rated medium severity due to the lack of a complete remote code execution exploit, but it still presents a significant risk.
NVIDIA’s general risk assessment might not accurately reflect the system’s vulnerability due to variations in installed components.
To ensure proper security posture, NVIDIA advises evaluating the specific risks associated with the unique system configuration.
There is a security update for NVIDIA ChatRTX software for Windows that addresses vulnerabilities (CVE-2024-0082, CVE-2024-0083) in all versions prior to 0.2.
To install the update, download the ChatWithRTX_installer_3_5.zip file from the ChatRTX Download page and be aware that both the affected version and the updated version are labeled as 0.2.
Also verify that the downloaded file is named ChatWithRTX_installer_3_5.zip to ensure the updated version.
The document was initially released on March 26, 2024, with version 1.0, whose history log serves as a record of changes made to the document over time, allowing for comparison and rollback to previous versions if necessary.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.