Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

NVIDIA Patches High Severity GeForce Experience Vulnerabilities

NVIDIA Patches High Severity GeForce Experience Vulnerabilities

NVIDIA released a security update for the Windows NVIDIA GeForce Experience (GFE) app to address vulnerabilities that could enable attackers to execute arbitrary code, escalate privileges, gain access to sensitive info, or trigger a denial of service (DoS) state on systems running unpatched software.

NVIDIA GFE is a companion utility for GeForce GTX graphics cards that “keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends” according to NVIDIA.

While these flaws require attackers to have local user access and cannot be exploited remotely, they can still be abused using malicious tools deployed on systems running vulnerable NVIDIA GFE versions.

Additionally, attacks that would exploit these bugs are of low complexity according to NVIDIA, while also requiring low privileges, and need no user interaction.

Also Read: Advisory Guidelines on Key Concepts in the PDPA: 23 Chapters

Uncontrolled search path bug leads to code execution

CVE‑2020‑5977, the bug with the highest severity rating patched today by NVIDIA, can lead to privilege escalation and code execution following successful exploitation.

It also allows attackers to render Windows computers running unpatched NVIDIA GFE unusable by triggering a denial of service state.

The CVE‑2020‑5977 vulnerability was reported by Decathlon’s Xavier DANEST and it consists of an uncontrolled search path used when loading an NVIDIA Web Helper NodeJS Web Server node module.

The other high severity bug, CVE‑2020‑5990, exists in the ShadowPlay component and it was reported by Hashim Jawad of ACTIVELabs.

The three vulnerabilities fixed in the October 2020 security update are detailed below, together with full descriptions and the CVSS V3 base score assigned by NVIDIA.

CVE IDsDescriptionBase Score
CVE‑2020‑5977NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.8.2
CVE‑2020‑5990NVIDIA GeForce Experience contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service, or information disclosure.7.3
CVE‑2020‑5978NVIDIA GeForce Experience contains a vulnerability in its services in which a folder is created by nvcontainer.exe under normal user login with LOCAL_SYSTEM privileges which may lead to a denial of service or escalation of privileges.3.2

NVIDIA says that the “risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation.”

The company also advises “consulting a security or IT professional to evaluate the risk to your specific configuration.”

Also Read: Data Centre Regulations Singapore: Does It Help To Progress?

Affected GeForce Experience versions

The vulnerabilities impact only computers running Windows and  NVIDIA GeForce Experience versions before 3.20.5.70, the version that comes with fixes for the three bugs.

To apply the security update, you have to download the latest software version (i.e., 3.20.5.70) from the GeForce Experience Downloads page or to launch the GFE client to automatically apply it via the inbuilt update mechanism.

In July, NVIDIA fixed another security flaw in all GeForce Experience versions prior to 3.20.4 which could lead to code execution, denial of service, or escalation of privileges.

Last month, the company also addressed multiple high severity security issues in the Windows GPU display driver and the Virtual GPU Manager software.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us