Chipmaker Site Offline after Finding Bug

Friday, January 10, 2014 @ 04:01 PM gHale

Following a public report of a vulnerability in its SAP-powered backend, graphics chipmaker Nvidia took a customer service website offline Wednesday.

The affected website, https://nvcare.nvidia.com, uses SAP’s NetWeaver, which is a framework that underpins SAP business applications. The NetWeaver vulnerability is close to three years old and has been patched by SAP, but Nvidia did not apply the fix.

RELATED STORIES
Attackers Exploit ColdFusion Bug
Linux Worm Targets ICS
Tor Traffic Skyrockets: Report
Big Boost in Cyber Investment

The person that found the vulnerability goes by the nickname “Finger.” He is out of China. According to the bug report, Finger notified Nvidia Nov. 21. The status of the bug is “unable to contact the vendor or actively neglected by the vendor” and notes it publicly released Jan. 5.

Nvidia said it learned of the issue Wednesday and shut the site down until they fix it.

“At this point, we have no evidence that customer data was compromised,” said Bob Sherbin of Nvidia’s corporate communications. “We are continuing to investigate the matter.”

The report was on a Chinese vulnerability forum, WooYun.org, and reposted on vulnerability forum, Full Disclosure.

The vulnerability would allow an attacker to remotely take full control of the SAP NetWeaver portal platform, officials said.



Leave a Reply

You must be logged in to post a comment.