Karlston Posted November 8, 2019 Share Posted November 8, 2019 Nvidia Geforce users need to patch their systems now A total of 12 vulnerabilities have been resolved in Nvidia's latest patch (Image credit: Shutterstock.com) Nvidia has released a patch for a set of serious security vulnerabilities which affect users of its GeForce Experience software and its GPU Display Driver. The company recently published two separate security advisories detailing the vulnerabilities and if left unpatched, the most severe of these vulnerabilities could allow for code execution or information disclosure. Nvidia has resolved three vulnerabilities in its GeForce Experience software. The first vulnerability, labeled CVE-2019-5701 which was discovered by Hashim Jawad of ACTIVELabs, is a problem within GameStream that could allow an attacker with local access to load Intel graphics driver DLLs without path validation. This could potentially lead to arbitrary code execution, privilege escalation, denial-of-service (DOS) or information disclosure. The second vulnerability, labeled CVE-2019-5689, was found by Siyuan Yi of Chengdu University of Technology and it it exists within the GeForce downloader. An attacker with local access could exploit this vulnerability to create and execute code to transfer and save malicious files. The third vulnerability, labeled CVE-2019-5695, was discovered by Peleg Hadar of SafeBreach Labs inside the GeForce local service provider component. To exploit this vulnerability, an attacker would need both local and privileged access. However, if they obtained these, it would be possible to use an incorrect Windows system DLL loading to cause DOS or data theft. Display driver vulnerabilities Nvidia's latest patch also resolved six vulnerabilities in the Nvidia Windows GPU Display driver. Of these flaws, CVE-2019-5690 was the most critical and it is a kernel mode layer handler issue where input size is not validated and this could lead to DoS or privilege escalation. Additionally, CVE-2019-5691 was found in the same system in which null pointer errors can be exploited with the same outcome. CVE-2019-5692 and CVE-2019-5693 are also in the kernel mode layer handler but Nvidia has resolved these bugs as well. The first vulnerability relates to untrusted input when calculating or using an array index and this can lead to privilege escalation or DoS. The second security flaw involves how the program accesses or uses pointers and could lead to service denial if exploited. Nvidia also fixed the CVE-2019-5694 and CVE-2019-5695 vulnerabilities in the display driver that led to incorrect DLL loading problems which could be exploited for DoS or information disclosure. Finally, the company resolved three vulnerabilities in the Virtual GPU Manager. Versions of Nvidia GeForce Experience before version 3.20.1 are affected by these flaws and users should update their software as well as their graphics drivers immediately to avoid falling victim to any attacks which could exploit these vulnerabilities. Source: Nvidia Geforce users need to patch their systems now (TechRadar) Link to comment Share on other sites More sharing options...
A total of 12 vulnerabilities have been resolved in Nvidia's latest patch (Image credit: Shutterstock.com) Nvidia has released a patch for a set of serious security vulnerabilities which affect users of its GeForce Experience software and its GPU Display Driver. The company recently published two separate security advisories detailing the vulnerabilities and if left unpatched, the most severe of these vulnerabilities could allow for code execution or information disclosure. Nvidia has resolved three vulnerabilities in its GeForce Experience software. The first vulnerability, labeled CVE-2019-5701 which was discovered by Hashim Jawad of ACTIVELabs, is a problem within GameStream that could allow an attacker with local access to load Intel graphics driver DLLs without path validation. This could potentially lead to arbitrary code execution, privilege escalation, denial-of-service (DOS) or information disclosure. The second vulnerability, labeled CVE-2019-5689, was found by Siyuan Yi of Chengdu University of Technology and it it exists within the GeForce downloader. An attacker with local access could exploit this vulnerability to create and execute code to transfer and save malicious files. The third vulnerability, labeled CVE-2019-5695, was discovered by Peleg Hadar of SafeBreach Labs inside the GeForce local service provider component. To exploit this vulnerability, an attacker would need both local and privileged access. However, if they obtained these, it would be possible to use an incorrect Windows system DLL loading to cause DOS or data theft. Display driver vulnerabilities Nvidia's latest patch also resolved six vulnerabilities in the Nvidia Windows GPU Display driver. Of these flaws, CVE-2019-5690 was the most critical and it is a kernel mode layer handler issue where input size is not validated and this could lead to DoS or privilege escalation. Additionally, CVE-2019-5691 was found in the same system in which null pointer errors can be exploited with the same outcome. CVE-2019-5692 and CVE-2019-5693 are also in the kernel mode layer handler but Nvidia has resolved these bugs as well. The first vulnerability relates to untrusted input when calculating or using an array index and this can lead to privilege escalation or DoS. The second security flaw involves how the program accesses or uses pointers and could lead to service denial if exploited. Nvidia also fixed the CVE-2019-5694 and CVE-2019-5695 vulnerabilities in the display driver that led to incorrect DLL loading problems which could be exploited for DoS or information disclosure. Finally, the company resolved three vulnerabilities in the Virtual GPU Manager. Versions of Nvidia GeForce Experience before version 3.20.1 are affected by these flaws and users should update their software as well as their graphics drivers immediately to avoid falling victim to any attacks which could exploit these vulnerabilities.
zanderthunder Posted November 9, 2019 Share Posted November 9, 2019 For those who want to get the latest GeForce Experience (version 3.20.1.57): Also for those who want to get the latest GeForce driver (441.12): Several notes to point out: 1. Your computer hardware vendor (a.k.a. OEM) may provide you with Windows GPU display driver versions including 441.03, 436.50, 431.98, 426.25, 392.58 which also contain the security updates. For this, you need to consult OEM. 2. The Geforce driver version 441.12 (which fixes these vulnerabilities) only supports desktop GPU from 6xx series onwards and notebook GPU from 7xx series onwards. Users with older GPUs might need to consult OEM as well, with regards to point 1 as well. 3. For Quadro and NVS GPU that are using versions under branch R440, you are recommended to upgrade to 441.12 by obtaining the drivers from Nvidia's website. 4. For Quadro and NVS GPU that are using versions under branch R430, R418, R390 and Tesla GPU under branch R440 and R418, the updates will be available the week of November 18, 2019, also can be obtained through Nvidia's website. Source: 1. https://nvidia.custhelp.com/app/answers/detail/a_id/4907 2. https://nvidia.custhelp.com/app/answers/detail/a_id/4860 3. https://www.zdnet.com/article/nvidia-patches-severe-geforce-gpu-vulnerabilities/ Link to comment Share on other sites More sharing options...
3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.