Nvidia, a maker of gaming-friendly graphics processing units (GPU), has patched a high-severity vulnerability in its GeForce Experience software, which could lead to code execution or denial-of-service of products if exploited.
The vulnerability (CVE‑2019‑5674) has a CVSS score of 8.8, making it high severity.
GeForce Experience is a supplemental application to the GeForce GTX graphics card — it keeps users’ drivers up-to-date, automatically optimizes their game settings and more. GeForce Experience is installed by default on systems running NVIDIA GeForce products, Nvidia’s brand of GPUs.
Essentially, the flaw allows any system file within the application to be overwritten when ShadowPlay (Nvidia’s game-play recording feature), NvContainer (Nvidia’s contain runtime process), or GameStream (Nvidia’s game-streaming feature) are enabled.
“When opening a file, the software does not check for hard links,” said Nvidia in a Tuesday security update. “This behavior may lead to code execution, denial-of-service or escalation of privileges.”
The issue was reported by David Yesland of Rhino Security Labs, who published a proof-of-concept exploit for the vulnerability. When inspecting the permissions on the files for the affected features, Yesland realized that anyone can have control over them.
Thus, it’s possible for a low-privileged user to create a symbolic link (a special kind of file that points to another file) between log files and any other system file; that in turn allows the user to overwrite the contents of that system file.
“The issue here is that everyone could modify the file in any way, this includes creating hard or symbolic links to other files on the system,” Yesland said.
He added, “Essentially, with an arbitrary file write, you can force an application to overwrite any file on the system as a privileged user. Often, this just means you can cause a denial of service by overwriting critical system files, but if you can control the data that is being written in some way, often you can do more with it.”
For instance, some files could be polluted with commands that write a file to the system startup folder, leading to commands being executed by other users at startup.
Versions of GeForce Experience for Windows before 3.18 are impacted; users can update to 3.18 to fix the flaw.
Earlier in March, Google issued patches for bugs in NVIDIA components used in Android handsets. Two information disclosure bugs, rated high severity, were also patched by NVIDIA.
Don’t miss the free replay of our Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub.”
Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.