Nvidia Fixes High-Severity Flaws in GeForce Experience for Gamers

[steven36]

Nvidia is urging gamers to update its GeForce Experience software after patching two high-severity vulnerabilities.

 

 

Nvidia, which makes gaming-friendly graphics processing units (GPUs), has patched two high-severity flaws in its GeForce Experience software, which could allow denial of service, information disclosure and privilege escalation on impacted systems.

 

GeForce Experience is software for gamers utilizing Nvidia’s GTX graphics card, which keeps users’ drivers up-to-date, automatically optimizes their game settings and more. All versions of GeForce Experience for Windows prior to 3.19 are impacted to the two serious flaws (CVE‑2019‑5678 and CVE‑2019‑5676).

 

“This update addresses issues that may lead to information disclosure, escalation of privileges, denial of service, or code execution,” Nvidia said in a Thursday advisory. “To protect your system, download and install this software update through the GeForce Experience Downloads page.”

 

The first vulnerability, CVE‑2019‑5678, which has a score of 7.8 out of 10 on the CVSS scale (making it high-severity), stems from the Web Helper component in the Display Control Panel of GeForce Experience.

 

This component does not properly validate input, meaning that an attacker with local system access can craft potentially malicious input. The input could lead to code execution, denial of service or information disclosure. David Yesland with Rhino Security Labs was credited with finding the flaw.

 

The second flaw, CVE‑2019‑5676, exists in the installer software of GeForce Experience, and enables privilege escalation through code execution. The attacker would need access on a local system, Nvidia said.

 

“NVIDIA GeForce Experience installer software contains a vulnerability in which it incorrectly loads Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack),” said Nvidia.

 

This flaw ranks 7.2 out of 10 on the CVSS scale, making it high severity.

 

Multiple researchers were credited with reporting the issue, including: Kushal Arvind Shah of Fortinet’s FortiGuard Labs; Łukasz ‘zaeek’; Yasin Soliman; Marius Gabriel Mihai; and Stefan Kanthak.

 

GeForce Experience also faced a high-severity bug in March that could lead to code execution or denial-of-service of products if exploited. Also earlier in March, Google issued patches for bugs in NVIDIA components used in Android handsets. Two information disclosure bugs, rated high severity, were also patched by NVIDIA.

 

And, earlier this month, Nvidia patched three vulnerabilities in its Windows GPU display driver that could have enabled information disclosure, denial of service and privilege escalation.

 

Source