Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

Nvidia's newborn ChatRTX bot patched for security bugs

Flaws enable privilege escalation and remote code execution

Matthew Connatser Thu 28 Mar 2024  //  15:33 UTC

Nvidia's AI-powered ChatRTX app launched just six week ago but already has received patches for two security vulnerabilities that enabled attack vectors, including privilege escalation and remote code execution.

ChatRTX, formerly known as Chat with RTX, was launched in February to provide Nvidia GPU owners with an AI chatbot that could run locally on RTX 30 and 40-series hardware with at least 8 GB of VRAM. While this solution couldn't promise as much power as a cloud-based alternative, being able to run it locally has been an upside for early users.

One of the downsides for users of earlier versions was that it harbored two security bugs designated CVE‑2024‑0082 and CVE‑2024‑0083. These flaws existed in all versions of ChatRTX up to version 0.2. The latter is rated at a medium severity level of 6.5, while the former is an 8.2 high-level problem.

CVE‑2024‑0083 could allow attackers to perform denial of service attacks, steal data, and even perform remote code execution (RCE). A score of 6.5 for these issues is relatively tame, and many others can score more than 9 points or even the maximum 10 out of 10 in the case of the Atlassian Confluence RCE exploit.

The other vulnerability, CVE‑2024‑0082, enables data stealing (again), data tampering, and even privilege escalation. This issue may have warranted the higher severity score since privilege escalation can render a computer totally open to intrusion.

RCE combined with privilege escalation could prove potent combo as well. Nvidia says it's possible via open file requests and by causing cross-site scripting errors that then allows browser scripts to be run. It's unknown if anyone was actually compromised thanks to these ChatRTX bugs. We have reached out to Nvidia for comment and will update when we hear back.

All users have to do is update to ChatRTX version 0.2. Confusingly, Nvidia warns that "the version numbers of the last affected version and the updated version are both 0.2" so maybe just completely reinstall ChatRTX to be safe. ®
Send us news
1 Comment

Take a closer look at Nvidia's buy of Run.ai, European Commission told

Campaign groups, non-profit orgs urge action to prevent GPU maker tightening grip on AI industry

AI's rising tide lifts all chips as AMD Instinct, cloudy silicon vie for a slice of Nvidia's pie

Analyst estimates show growing apetite for alternative infrastructure

Just how deep is Nvidia's CUDA moat really?

Not as impenetrable as you might think, but still more than Intel or AMD would like

Nvidia upgrades tiny Jetson Orin Nano dev kits for the holidays

'Super' edition promises 67 TOPS and 102GB/s of memory bandwidth for your GenAI projects

US bipartisan group publishes laundry list of AI policy requests

Chair Jay Obernolte urges Congress to act – whether it will is another matter

Infosec experts divided on AI's potential to assist red teams

Yes, LLMs can do the heavy lifting. But good luck getting one to give evidence

Open source maintainers are drowning in junk bug reports written by AI

Python security developer-in-residence decries use of bots that 'cannot understand code'

Boffins trick AI model into giving up its secrets

All it took to make an Google Edge TPU give up model hyperparameters was specific hardware, a novel attack technique … and several days

Million GPU clusters, gigawatts of power – the scale of AI defies logic

It's not just one hyperbolic billionaire – the entire industry is chasing the AI dragon

American cops are using AI to draft police reports, and the ACLU isn't happy

Do we really need to explain why this is a problem?

Google Gemini 2.0 Flash comes out with real-time conversation, image analysis

Chocolate Factory's latest multimodal model aims to power more trusted AI agents

Are you better value for money than AI?

Tech vendors start saying the quiet part out loud – do enterprises really need all that headcount?