Flaw in Nvidia's rendering software allows hijacking of "computer farms"
Posted on 12 December 2013.
A vulnerability in Nvidia mental ray, an extremely popular 3D-rendering software that is often used on "render farms", could allow attackers to take control of said farms, and use their massive computational power for their own nefarious purposes.

Render farms - groups of networked computers dedicated to rendering images for projects like computer-animated films - usually consist of hundreds and often thousands of processor cores, all grinding out animations that the master computer instructs them to work on.

Unfortunately, if they use NVIDIA mental ray version 3.11.1.10 or earlier, the vulnerability discovered by ReVuln researchers Luigi Auriemma and Donato Ferrante makes them open to attack.

Used both as a standalone product and embedded into popular content creation apps, the NVIDIA mental ray is a system service, and it keeps open a specific TCP port (7520 in newer versions of the software) on which it waits for incoming connections.

And it's to this port that attackers can send a specific malicious packet (included in the paper) and trigger the vulnerability, allowing them to load arbitrary DLLs on a victim system and, thusly, take control over the entire rendering farm.


The farm can then be surreptitiously used to perform password hacking (brute-forcing) on a large scale, or event for Bitcoin mining.

The researchers pointed out that the vulnerability affects both the 32-bit and 64-bit version of the software, but that there are other issues that need to be addressed as well. They also admitted that they haven't reported this vulnerability to the vendor, but haven't explained why.

Conversely, ReVuln is in the business of finding and selling vulnerability information to paying third parties.










Spotlight

USBdriveby: Compromising computers with a $20 microcontroller

Posted on 19 December 2014.  |  Security researcher Samy Kamkar has devised a fast and easy way to compromise an unlocked computer and open a backdoor on it: a simple and cheap ($20) pre-programmed Teensy microcontroller.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Fri, Dec 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //