Nvidia, which makes gaming-friendly graphics processing units (GPUs), has patched two high-severity flaws in its GeForce Experience software, which could allow denial of service, information disclosure and privilege escalation on impacted systems.
GeForce Experience is software for gamers utilizing Nvidia’s GTX graphics card, which keeps users’ drivers up-to-date, automatically optimizes their game settings and more. All versions of GeForce Experience for Windows prior to 3.19 are impacted to the two serious flaws (CVE‑2019‑5678 and CVE‑2019‑5676).
“This update addresses issues that may lead to information disclosure, escalation of privileges, denial of service, or code execution,” Nvidia said in a Thursday advisory. “To protect your system, download and install this software update through the GeForce Experience Downloads page.”
The first vulnerability, CVE‑2019‑5678, which has a score of 7.8 out of 10 on the CVSS scale (making it high-severity), stems from the Web Helper component in the Display Control Panel of GeForce Experience.
This component does not properly validate input, meaning that an attacker with local system access can craft potentially malicious input. The input could lead to code execution, denial of service or information disclosure. David Yesland with Rhino Security Labs was credited with finding the flaw – on Monday, he posted an analysis of the vulnerability.
“As far as some more insight into this vulnerability, Nvidia describes this vulnerability as being something that only an attacker with local system access could exploit,” Yesland told Threatpost in an email. “But as the blog post will show, we have come up with a proof of concept which shows this being exploited through a web browser. The fix for this issue by Nvidia only directly fixed the command injection flaw in the Web Helper but did not fix the fact that you can use our method through the browser to interact with the Web Helper service. So any other flaw found in the Web Helper service could still be exploited in the same way.”
The second flaw, CVE‑2019‑5676, exists in the installer software of GeForce Experience, and enables privilege escalation through code execution. The attacker would need access on a local system, Nvidia said.
“NVIDIA GeForce Experience installer software contains a vulnerability in which it incorrectly loads Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack),” said Nvidia.
This flaw ranks 7.2 out of 10 on the CVSS scale, making it high severity.
Multiple researchers were credited with reporting the issue, including: Kushal Arvind Shah of Fortinet’s FortiGuard Labs; Łukasz ‘zaeek’; Yasin Soliman; Marius Gabriel Mihai; and Stefan Kanthak.
GeForce Experience also faced a high-severity bug in March that could lead to code execution or denial-of-service of products if exploited. Also earlier in March, Google issued patches for bugs in NVIDIA components used in Android handsets. Two information disclosure bugs, rated high severity, were also patched by NVIDIA.
And, earlier this month, Nvidia patched three vulnerabilities in its Windows GPU display driver that could have enabled information disclosure, denial of service and privilege escalation.
