Severity: Important
CVSS Score: 7.8
Need for Speed Payback received 'mixed or average' reviews from critics, according to review aggregator Metacritic. Luke Reilly of IGN praised Electronic Arts for repairing the problems of the game's predecessor, Need for Speed, but criticized its 'scripted' story, lack of police chases during free roam, scripted police chases, loot box-like mechanisms during customization, poor car handling. Need for Speed is a series of racing games published by Electronic Arts and currently developed by Ghost Games. Need for Speed Payback FAQ. Need for Speed: Payback will be released on November 10th for PS4, Xbox One, and PC. EA Access and Origin Access subscribers will be able to play it for 10 hours starting on November 2nd. Buyers of the Deluxe Edition will be granted early access from November 7th.
Impact: Elevation of Privilege
Status: Fixed
Affected Software: Origin for Mac & PC version 10.5.74.41754 (or earlier)
Description
A vulnerability exists in the Origin Client Service that could allow a non-Administrative user to elevate their access to System. Once the user has obtained elevated access, they may be able to take control of the system and perform actions otherwise reserved for high privileged users or system Administrators.
Attack Scenario
To successfully leverage the vulnerability, the attacker needs to have valid user credentials with the ability to log-on to the computer that has the Origin Client installed. Upon successfully logging in the attacker would then need to be able to install a specially crafted program or execute code that modifies the contents of affected Origin install directories. They would then need to stop and restart the Origin Client.
Mitigations
Mitigations describe factors that limit the likelihood or impact of an attacker successfully leveraging the vulnerability
- A successful attack would require the user of a valid account on the local machine with the Origin Client installed.
Workarounds
Workarounds are steps EA customers can take to reduce the potential for an attacker to leverage the vulnerability if they cannot or choose not to install the update.
- In order to temporarily limit the likelihood of the vulnerability being executed by non-privileged users, the system administrator may choose to remove local login rights from accounts or disable non-administrator accounts.
Resolution
To address the vulnerability players with Administrator rights are advised to install the latest version of the Origin Client version 10.6.0.42339.
On the next player login, the player will be required to update before entering their credentials. If they are already logged in, they will need to restart Origin to get the update.
Frequently Asked Questions:
How is Issue Severity Determined?
Issue severity is based on a 4-point scale ranging from Critical to Low. As part of our investigation, security engineers determine the overall ease of exploitation and how an attacker would need to successfully exploit the vulnerability. Typically, the fewer barriers that exist to exploitation combined with a higher Security Impact, the higher the Issue Severity designation.
What causes the vulnerability?
The vulnerability is caused by the Origin Client Service’s loading of 3rd party plugins. In this scenario, a specially crafted QT plugin could potentially be loaded running under the context of System. This would enable a standard user to elevate to Administrator or System privileges and potentially take full control of the affected system.
What is Qt?
Qt is a free and open-source widget toolkit for creating graphical user interfaces as well as cross-platform applications that run on various software and hardware platforms.
How do I know if I am vulnerable?
If Origin client version 10.5.74.41754 or earlier is installed on the system, it is vulnerable to this issue.
How does the update resolve the vulnerability?
The update restricts the dynamic loading of 3rd party plugins to the application directory. This directory is only editable by an Administrator account.
Has this vulnerability been used against EA’s customers?
No. At the time of publication of this advisory we are not aware of any attacks against EA’s players that leverage this vulnerability.
Acknowledgement(s)
EA thanks the following security researcher for their discovery and reporting it to us in accordance with Coordinated Vulnerability Disclosure practices:
- Joel Noguera of Immunity Inc for reporting CVE-2020-15524
Date Published: 7/22/2020
Version: 1.0
Modder ‘AntiLoser’ has released a must-have mod for Need for Speed Payback. As its title suggests, this mod removes all the restrictions from the visual parts, allowing you to mix-match any parts you want. In addition, this mod makes certain parts – that were only in a part set – available as separate parts.
In other words, this mod enhances the game’s customization mechanics and it’s a mod that most Need for Speed Payback fans should be using.
AntiLoser has also released other really cool mods for Need for Speed Payback. His Traffic Mod introduces 4 options for changing traffic density from none to heavy, whereas the Better Upgrade Packs mod changes Catch up Pack 11 to level 12 and Catch up pack 16 to level 18
Last but not least, the Unrestricted Map allows players to take any car into any event. This basically means that you can drive a race/drag/drift/runner/speedcross/offroad car in any race/drag/drift/speedcross/time trial/offroad/courier event. This mod also comes with a new mechanic that can teleport you to any event/activity.
Have fun!
John Papadopoulos
Need For Speed Payback 2
John is the founder and Editor in Chief at DSOGaming. He is a PC gaming fan and highly supports the modding and indie communities.Before creating DSOGaming, John worked on numerous gaming websites. While he is a die-hard PC gamer, his gaming roots can be found on consoles. John loved - and still does - the 16-bit consoles, and considers SNES to be one of the best consoles. Still, the PC platform won him over consoles. That was mainly due to 3DFX and its iconic dedicated 3D accelerator graphics card, Voodoo 2. John has also written a higher degree thesis on the 'The Evolution of PC graphics cards.' Contact: Email