Nvidia has released a patch for a set of serious security vulnerabilities which affect users of its GeForce Experience software and its GPU Display Driver.
The company recently published two separate security advisories detailing the vulnerabilities and if left unpatched, the most severe of these vulnerabilities could allow for code execution or information disclosure.
Nvidia has resolved three vulnerabilities in its GeForce Experience software. The first vulnerability, labeled CVE-2019-5701 which was discovered by Hashim Jawad of ACTIVELabs, is a problem within GameStream that could allow an attacker with local access to load Intel graphics driver DLLs without path validation. This could potentially lead to arbitrary code execution, privilege escalation, denial-of-service (DOS) or information disclosure.
- Nvidia reveals first AI platform for edge devices
- Nvidia and Arm team up on supercomputers
- Nvidia’s revenues still hit by death of cryptocurrency
The second vulnerability, labeled CVE-2019-5689, was found by Siyuan Yi of Chengdu University of Technology and it it exists within the GeForce downloader. An attacker with local access could exploit this vulnerability to create and execute code to transfer and save malicious files.
The third vulnerability, labeled CVE-2019-5695, was discovered by Peleg Hadar of SafeBreach Labs inside the GeForce local service provider component. To exploit this vulnerability, an attacker would need both local and privileged access. However, if they obtained these, it would be possible to use an incorrect Windows system DLL loading to cause DOS or data theft.
Display driver vulnerabilities
Nvidia's latest patch also resolved six vulnerabilities in the Nvidia Windows GPU Display driver. Of these flaws, CVE-2019-5690 was the most critical and it is a kernel mode layer handler issue where input size is not validated and this could lead to DoS or privilege escalation. Additionally, CVE-2019-5691 was found in the same system in which null pointer errors can be exploited with the same outcome.
CVE-2019-5692 and CVE-2019-5693 are also in the kernel mode layer handler but Nvidia has resolved these bugs as well. The first vulnerability relates to untrusted input when calculating or using an array index and this can lead to privilege escalation or DoS. The second security flaw involves how the program accesses or uses pointers and could lead to service denial if exploited.
Nvidia also fixed the CVE-2019-5694 and CVE-2019-5695 vulnerabilities in the display driver that led to incorrect DLL loading problems which could be exploited for DoS or information disclosure. Finally, the company resolved three vulnerabilities in the Virtual GPU Manager.
Versions of Nvidia GeForce Experience before version 3.20.1 are affected by these flaws and users should update their software as well as their graphics drivers immediately to avoid falling victim to any attacks which could exploit these vulnerabilities.
- Also check out the best antivirus software of 2019