On October 22, Nvidia resolved three vulnerabilities that were impacting the GeForce Experience suite.
The latest security update tackled issues found in all versions before 220.127.116.11 on Windows machines.
Nvidia says the issues could lead to “denial of service, escalation of privileges, code execution, or information disclosure.“
Do you want to know what happened and how it was leaking the gamer’s data?
What Was the Latest Nvidia GeForce Security About?
In the first place, Nvidia built GeForce Experience software as a companion utility for GeForce GTX graphic cards.
According to them: “it keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends”
The software for gamers (more specifically, live streamers) includes driver optimization and both video and audio capture. It’s also a driver update manager.
These three recently-patched vulnerabilities weren’t the only ones that have ever existed. Nvidia has warned about other GeForce brand-related security issues, as what happened in 2019 with the product’s denial of service exploited.
After that, in June, Nvidia fixed severe flaws that were affecting drivers for Windows and Linux users (including those using GeForce, Quadro, and Tesla software).
Now, here are the details about the most recently-patched vulnerabilities:
The first one (CVE‑2020‑5977) was issued with a CVSS v3.1 score of 8.2. It’s described as a flaw in the Helper NodeJS Web Server module of the software. More specifically, an “uncontrolled search path” is used to load a module.
This lack of restrictions is exactly those who can be exploited to provoke information leaks, denial of service, and privilege escalation with the help of arbitrary code execution.
The second security flaw is issued as CVE‑2020‑5990. A CVSS severity score of 7.3. was assigned to it, after being found in Nvidia’s live stream and broadcast software: ShadowPlay. The consequences that could be triggered by this execution flaw are very similar (information disclosure, code execution, and denial of service) but with the difference that could only be performed locally.
Last, but not least, the final issue Nvidia resolved (CVE‑2020‑5978) was a low-impact vulnerability within GeForce Experience’s nvcontainer.exe service. A folder, created under a standard user-login situation, could have been abused for, again, privilege escalation or DoS attacks.
This one was issued with a CVSS v.3.1 scores of 3.2.
According to Nvidia, these exploitable bugs were of low complexity, requiring low privileges, and no user interaction was required.
The vulnerabilities have been fixed in GeForce Experience version 18.104.22.168.
A similar, critical privilege escalation vulnerability was recently found and resolved in Jetson, within Nvidia Jetpack SDK.
And if this wasn’t enough, the company addressed some severe security issues in the Windows GPU display driver, as well as in the Virtual GPU Manager program.
Probably, this won’t be the last one either. That’s why NVIDIA says:
“Risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation.”
Finally, the company recommends “consulting a security or IT professional to evaluate the risk to your specific configuration.”
Personally, I almost always come to the same conclusion.
I’m a gamer myself (as almost the third of the planet’s population), and probably so are you. That’s why news like these get me worried about privacy and security.
Do you feel identified?
Don’t worry, you don’t have to lose your peace of mind.
MyITGuy’s experts are ready to guide you, answering any questions you might have, and troubleshoot possible leaking holes inside the infrastructure of your business.
Not even top-tier third-party platforms like GeForce Experience are completely safe… Do you believe yours is?