Nvidia’s ChatRTX AI chatbot, previously known as Chat with RTX, has been revealed to have been vulnerable to severe security vulnerabilities in ChatRTX 0.2 and all prior versions. Fortunately, the latest iteration of ChatRTX 0.2, obtainable from Nvidia’s direct download page, addresses these issues immediately. ChatRTX is Nvidia’s ChatGPT-style software that uses retrieval augmented generation (RAG) in tandem with Nvidia’s Tensort-RT LLM software and RTX acceleration to let users train a chatbot on their own personal data.
The specific vulnerabilities are identified by the industry standard CWE (Common Weakness Enumeration) system as cross-site scripting attacks (CWE-79) and improper privilege management attacks (CWE-269). Both have UI vulnerabilities that allow attackers access they shouldn’t have, with CWE-79 corresponding to code execution, denial of service, and potential denial of service attacks. Meanwhile, CWE-269 corresponds to privilege escalation, information disclosure, and data tampering attacks.
Remote code execution is infamous as one of the most dangerous vulnerabilities for a piece of hardware or software since it allows attackers to run pretty much anything they like on your system (keyloggers, trackers, etc). This corresponds to the CWE-79 vulnerability addressed, although it’s for browser scripting specifically.
Another pressing form of cyberattack displayed by the CWE-269 vulnerability is “privilege escalation,” which involves an attacker essentially giving themselves administrative privileges over your system and its files. This is obviously quite dangerous by itself, but the danger only compounds with the CWE-79 vulnerability present.
Fortunately, it seems that Nvidia was quick to address this issue as soon as it became aware of it, and there are no reports of these exploits actually being used so far. Knowing that some cutting-edge AI software had such severe security vulnerabilities attached is justifiably nerve-wracking, considering its personalized nature would naturally result in exploits sharing personal data.
With any luck, all affected users will have applied this latest Nvidia ChatRTX update before these vulnerabilities can impact them. The software remains as a beta version for now, with no timeline for the release candidate.
Tags: Nvidias chatbot falls victim highseverity security vulnerabilities urgent ChatRTX patch issued
-
