If you have a Nvidia card, or GeForce Experience, then you’ll want to update both of those things today.
The GPU maker announced this Friday that the middleware had three security vulnerabilities affecting all versions of the program. The security holes all require a user to have local access, which is a huge relief as opposed to vulnerabilities that can be executed remotely, but they are severe enough that Nvidia has released an immediate hotfix.
The flaws affect GeForce Experience’s downloader component, local service provided, and the Nvidia GameStream service:
CVE‑2019‑5701: Nvidia GeForce Experience contains a vulnerability when GameStream is enabled in which an attacker with local system access can load the Intel graphics driver DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), which may lead to denial of service, information disclosure or escalation of privileges through code execution.
CVE‑2019‑5689: Nvidia GeForce Experience contains a vulnerability in the Downloader component in which a user with local system access can craft input that may allow malicious files to be downloaded and saved. This behaviour may lead to code execution, denial of service, or information disclosure.
CVE‑2019‑5695: Nvidia GeForce Experience contains a vulnerability in the local service provider component in which an attacker with local system and privileged access can incorrectly loads Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), which may lead to denial of service or information disclosure through code execution.
But it’s not just GeForce Experience. A security bulletin was issued for the GeForce display drivers as well, with 9 separate flaws in the kernel mode layer, Nvidia Control Panel, and more that could open up attack vectors for users with local system access. If you’ve updated your GeForce, NVS or Quadro card to 441.12, you’ll already have most of the security updates, while some NVS, Quadro and Tesla GPU owners will have to wait until the week of November 18 for the patches.
Version 441.12 is the same Game Ready Driver for Red Dead Redemption 2 and Need for Speed: Heat, so if you’ve already updated for that, then you’re good. As for GeForce Experience, you’ll want to make sure you’re using version 3.20.1. If you’re not on that, upgrade through GeForce Experience itself — or, alternatively, clean your system using something like Display Driver Uninstaller, and just download the drivers you need directly.
Leave a Reply