Nvidia has released a patch for a set of major security vulnerabilities that affect users of the GeForce Experience software and graphics card driver.
Recently, the company has released two separate security reports describing the vulnerabilities, and if they are not addressed, the heaviest of these vulnerabilities may allow code execution or information disclosure.
Nvidia fixed three vulnerabilities in the GeForce Experience software. The first vulnerability, designated CVE-2019-5701, discovered by Hashim Jawad of ACTIVELabs, is a problem in GameStream that could allow an attacker with local access to load the Intel graphics driver DLLs without checking the path. This could potentially lead to arbitrary code execution, permission escalation, denial of service (DOS), or information disclosure.
The second vulnerability, designated CVE-2019-5689, was discovered by Siyuan Yi of Chengdu University of Technology and exists in the GeForce download program. An attacker with local access could exploit this vulnerability to create and execute code for uploading and saving malicious files.
The third vulnerability, designated CVE-2019-5695, was discovered by Peleg Hadar of SafeBreach Labs as part of the local GeForce service provider. An attacker needs both local and privileged access to exploit this vulnerability. However, if they get it, you'll be able to use the incorrect loading of the Windows DLL to cause DOS or data theft.
Vulnerabilities in the screen driver
The latest Nvidia patch also resolved six vulnerabilities in the Nvidia graphics card driver for Windows. Of these disadvantages, CVE-2019-5690 was the most critical and this is a kernel mode layer support issue where the size of the input data is not checked, which can lead to DoS or escalation of permissions. In addition, CVE-2019-5691 was found in the same system where zero indicator errors can be used with the same result.
CVE-2019-5692 and CVE-2019-5693 are also in the kernel mode layer handler, but Nvidia also resolved these errors. The first vulnerability concerns untrusted input when calculating or using an array index, which can lead to escalation of permissions or DoS. The second vulnerability concerns the way the program accesses or uses indicators and can be used in the event of denial of service.
Nvidia also fixed vulnerabilities in the CVE-2019-5694 and CVE-2019-5695 drivers that led to incorrect loading DLLs that could be used to reveal DoS or disclose information. Finally, the company resolved three vulnerabilities in Virtual GPU Manager.
These flaws apply to versions of Nvidia GeForce Experience earlier than 3.20.1, and users should immediately update their software as well as graphics drivers to avoid falling victim to any attacks that could exploit these vulnerabilities.