NVIDIA has released a security update for the Windows NVIDIA GeForce Experience (GFE) application to address vulnerabilities that could allow intruders to execute arbitrary code, scale privileges, gain access to sensitive information, or cause denial of service. ) on systems running with unpatched software.
NVIDIA GFE is a GeForce GTX graphics card utility that "updates your drivers, automatically optimizes your game settings and gives you the easiest way to share the best moments of your game with friends," says NVIDIA.
In addition, the attacks that will take advantage of these errors have low complexity according to NVIDIA, while also requiring low privileges and no need to interact with users.
CVE - 2020‑5977, the highest seriousness bug fixed today by NVIDIA, can lead to privilege scaling and code execution after a successful exploitation.
It also allows intruders to use Windows computers running unpatched NVIDIA GFE by activating a denial of service mode.
The CVE - 2020‑5977 vulnerability was reported by Decathlon Xavier DANEST and consists of an uncontrolled search path used during loading a node module NVIDIA Web Helper NodeJS Web Server.
The other highly serious error, CVE - 2020‑5990, is present in the ShadowPlay component and was reported by ACTIVELabs Hashim Jawad.
You can see below the three vulnerabilities that were fixed in the October 2020 security update along with the basic CVSS V3 rating assigned by NVIDIA.
NVIDIA says that the “risk assessment is based on an average risk in a different set of systems and may not represent a real risk to your local facility. ”
The company also advises "consulting a security or IT professional to assess the risk for your particular configuration."
Influenced versions of GeForce Experience
The vulnerabilities affect only computers running Windows and NVIDIA GeForce Experience before 126.96.36.199, the version that came with the bug fixes.
To apply the security update, you must download the latest software version (ie 188.8.131.52) from the "GeForce Experience Downloads" page or start the GFE client to apply it automatically via the built-in notification mechanism.
In July, NVIDIA fixed another security flaw in all GeForce Experience versions before 3.20.4 that could lead to code execution, denial of service or escalation of privileges.
Last month, the company also encountered a number of high-security issues with the Windows GPU display driver and software Virtual GPU Manager.