NVIDIA issued a security update for the Windows NVIDIA GeForce Experience (GFE) software to patch two vulnerabilities that could make it possible for potential local attackers to launch attacks that may lead to code execution, escalation of privileges, and denial-of-service (DoS).
While the two vulnerabilities require the would-be attackers to have local user access and cannot be exploited remotely, they can still be abused by dropping malicious tools remotely systems running vulnerable NVIDIA GFE versions.
NVIDIA GFE is a companion app for GeForce GTX graphics cards which,
according to NVIDIA, "keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends."
NVIDIA rated the security issues as high severityTaking advantage of the vulnerabilities, attackers can escalate their privileges to gain permissions beyond the ones they were initially granted by the system.
This could allow them to render vulnerable machines unusable by triggering a denial of service state or to execute malicious commands on the compromised Windows systems.
The software flaws tracked as
CVE‑2019‑5678 (Improper Input Validation) and
CVE‑2019‑5676 (DLL hijacking) fixed in the May 2019 security update are detailed below, together with full descriptions and the CVSS V3 base scores assigned by NVIDIA.
According to NVIDIA, the "risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration."
The Improper Input Validation issue was reported by David Yesland of Rhino Security Labs, while the DLL hijacking vulnerability was reported by multiple researchers (i.e., Kushal Arvind Shah of Fortinet's FortiGuard Labs, Łukasz 'zaeek', Yasin Soliman, Marius Gabriel Mihai, and Stefan Kanthak.)
All GeForce Experience versions prior to 3.19 impactedThe two software flaws impact Windows computers where a version of NVIDIA GeForce Experience prior to 3.19 is installed.
To apply the security update, NVIDIA GeForce Experience users have to either download the latest version from the
GeForce Experience Downloads page or to launch the client to have it applied via the inbuilt automatic update mechanism.
NVIDIA also added the following notes to the
security bulletin:
• Earlier software branch releases that support this product are also affected. If you are using an earlier branch release, upgrade to the latest branch release.
• CVE-2019-5676: If GeForce Experience software is installed on Windows 7, Microsoft KB2533623 must be installed as a prerequisite to address this CVE.
During March, NVIDIA released another
[/color=green]security update for the NVIDIA GeForce Experience software[/color] which patched another high severity security flaw that could enable potential local attackers with basic user privileges to elevate privileges, trigger code execution, and perform denial-of-service (DoS) attacks against vulnerable Windows machines.
source
