NVIDIA Patches High Severity GeForce Experience Vulnerabilities

NVIDIA released a security update for the Windows NVIDIA GeForce Experience (GFE) app to address vulnerabilities that could enable attackers to execute arbitrary code, escalate privileges, gain access to sensitive info, or trigger a denial of service (DoS) state on systems running unpatched software.

NVIDIA GFE is companion utility for GeForce GTX graphics cards that “keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends” according to NVIDIA.

While these flaws require attackers to have local user access and cannot be exploited remotely, they can still be abused using malicious tools deployed on systems running vulnerable NVIDIA GFE versions.

Additionally, attacks that would exploit these bugs are of low complexity according to NVIDIA, while also requiring low privileges, and need no user interaction.

Also Read: Advisory Guidelines on Key Concepts in the PDPA: 23 Chapters

Uncontrolled search path bug leads to code execution

CVE‑2020‑5977, the bug with the highest severity rating patched today by NVIDIA, can lead to privilege escalation and code execution following successful exploitation.

It also allows attackers to render Windows computers running unpatched NVIDIA GFE unusable by triggering a denial of service state.

The CVE‑2020‑5977 vulnerability was reported by Decathlon’s Xavier DANEST and it consists of an uncontrolled search path used when loading an NVIDIA Web Helper NodeJS Web Server node module.

The other high severity bug, CVE‑2020‑5990, exists in the ShadowPlay component and it was reported by Hashim Jawad of ACTIVELabs.

The three vulnerabilities fixed in the October 2020 security update are detailed below, together with full descriptions and the CVSS V3 base score assigned by NVIDIA.

CVE IDs	Description	Base Score
CVE‑2020‑5977	NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.	8.2
CVE‑2020‑5990	NVIDIA GeForce Experience contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service, or information disclosure.	7.3
CVE‑2020‑5978	NVIDIA GeForce Experience contains a vulnerability in its services in which a folder is created by nvcontainer.exe under normal user login with LOCAL_SYSTEM privileges which may lead to a denial of service or escalation of privileges.	3.2

NVIDIA says that the “risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation.”

The company also advises “consulting a security or IT professional to evaluate the risk to your specific configuration.”

Also Read: Data Centre Regulations Singapore: Does It Help To Progress?

Affected GeForce Experience versions

The vulnerabilities impact only computers running Windows and  NVIDIA GeForce Experience versions before 3.20.5.70, the version that comes with fixes for the three bugs.

To apply the security update, you have to download the latest software version (i.e., 3.20.5.70) from the GeForce Experience Downloads page or to launch the GFE client to automatically apply it via the inbuilt update mechanism.

In July, NVIDIA fixed another security flaw in all GeForce Experience versions prior to 3.20.4 which could lead to code execution, denial of service, or escalation of privileges.

Last month, the company also addressed multiple high severity security issues in the Windows GPU display driver and the Virtual GPU Manager software.