Patches released by NVIDIA last week for GeForce Experience software address two arbitrary code execution bugs evaluated with a high severity rating.
The GeForce Experience software is a companion application that is installed together with the NVIDIA GeForce drivers. Acting as a GPU management tool, it allows users to record and share videos and screenshots, update drivers, and ensure that game settings are always optimized.
Registered as CVE – 2020‑5977 and with a CVSS score of 8.2, the first of the issues just addressed was identified in the NVIDIA Web Helper NodeJS web server and exists because an uncontrolled search path is used to load a node module.
An attacker capable of exploiting the flaw could run code in the context of vulnerable software, could cause denial of service, escalate privileges or access restricted information, NVIDIA notes in an advisory.
The second vulnerability has the identifier CVE – 2020‑5990 and a CVSS score of 7.3. According to NVIDIA, the flaw was identified in the ShadowPlay component and can lead to code execution, local privilege escalation, denial of service, or information disclosure.
A third vulnerability patched with the new version is CVE – 2020‑5978 (CVSS score of 3.2), identified in GeForce Experience services. The error exists because “nvcontainer.exe creates a folder with a normal user login with LOCAL_SYSTEM privileges,” explains NVIDIA.
The flaw could be exploited to achieve denial of service or increase privileges.
All three vulnerabilities, NVIDIA explains, affect GeForce Experience versions prior to 126.96.36.199. To keep their systems protected, users are encouraged to update to software version 188.8.131.52 or newer.
Featured Image: BleepingComputer