Nvidia has been forced to disable access to its customer service portal following the discovery that it was vulnerable to a three year old vulnerability in its back-end software.
The NVCare website, used for customer support and warranty claims, has been deactivated by Nvidia following the public disclosure of a vulnerability in its back-end platform on the Full Disclosure mailing list earlier this week. According to the poster, identified only by the alias Finger, the bug was first reported to Nvidia on the 21st of November but with no response prior to the public release of the details.
Embarrassingly for the company, the flaw highlighted in the report was not a new one: the vulnerability in SAP's NetWeaver software was patched by the company around three years ago, but Nvidia appears to have neglected installing updates on the platform for at least that long. The flaw was rated as significant by the company, allowing a remote attacker to create a new administrative user and assume full control over the server - including the ability to access customer data.
That, Nvidia claims, has thankfully not happened. 'At this point, we have no evidence that customer data was compromised,
' claimed Nvidia's Bob Sherbin in an email to Techworld
regarding the flaw. 'We are continuing to investigate the matter.
At present, the portal - normally accessible at nvcare.nvidia.com
- is still inaccessible, with no date provided for its restoration.