[German]Nvidia recently had to release a security update for an application for its GeForce Experience driver package. The update fixed a security hole that was classified as critical.
NVIDIA GFE (GEFORCE EXPERIENCE) is an add-on program for GeForce GTX graphics cards, which according to NVIDIA provides the following features:
:Capture and share videos, screenshots and live streams with friends Keep drivers up to date and optimize game settings. With GeForce Experience (TM), all this is possible. It's the ideal companion for your GeForce graphics card.
In other words, it's actually a program that you don't need to run the graphics card. NVIDIA had to release a security update for the Windows NVIDIA GeForce Experience (GFE) application a few days ago to address critical vulnerabilities. The vulnerabilities could allow attackers to execute arbitrary code, elevate privileges, gain access to confidential information, or cause a Denial of Service (DoS) condition on systems.
However, to exploit the vulnerabilities (e.g., CVE-2020-5977), the attacker must have local user access; remote exploitation is not possible. However, malware could easily exploit these vulnerabilities on a system with Nvidia GeForce Experience.
- CVE‑2020‑5977: NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure. Base-Score: 8.2
- CVE‑2020‑5990: NVIDIA GeForce Experience contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service, or information disclosure. Base-Score: 7.3
- CVE‑2020‑5978: NVIDIA GeForce Experience contains a vulnerability in its services in which a folder is created by
nvcontainer.exe
under normal user login withLOCAL_SYSTEM
privileges which may lead to a denial of service or escalation of privileges. Base-Score: 3.2
The vulnerabilities only affect computers running Windows and NVIDIA GeForce Experience versions prior to 3.20.5.70. To apply the security update, download and install the latest version (i.e. 3.20.5.70) from the GeForce Experience download page. Alternatively, start the GFE client to have the software automatically updated via the built-in update mechanism. (via)