Nvidia tackles code execution flaws, data leaks in GeForce Experience

The worst of the bugs is an uncontrolled search path issue with severe, exploitable consequences.
Written by Charlie Osborne, Contributing Writer

Nvidia has resolved a trio of vulnerabilities impacting the GeForce Experience suite. 

GeForce Experience is software designed by Nvidia with games and live streamers in mind, including driver update management, driver optimization for gaming and graphics cards, and both video & audio capture.  

On October 22, Nvidia said the firm's latest security update tackles issues found in all versions of GeForce Experience prior to on Windows machines. Nvidia says the issues could lead to "denial of service, escalation of privileges, code execution, or information disclosure."

See also: Nvidia makes a clean sweep of MLPerf predictions benchmark for artificial intelligence

The first vulnerability, CVE‑2020‑5977, has been issued a CVSS v3.1 score of 8.2 and is described as a flaw in the Helper NodeJS Web Server module of the software. An "uncontrolled search path" is used to load a module, and it is this lack of restriction that can be exploited by attackers for the purposes of executing arbitrary code, denial of service, privilege escalation, and information leaks. 

CNET: Russian hackers infiltrated state and local government networks, officials say

The second security flaw, CVE‑2020‑5990, has been assigned a CVSS severity score of 7.3. Found in ShadowPlay, the live stream and broadcast facility in Nvidia's software, a vulnerability can be abused to trigger code execution, denial of service, and information disclosure. The vulnerability may also be utilized to perform a privilege escalation attack -- but this can only be performed locally.  

Finally, Nvidia has resolved CVE‑2020‑5978, a low-impact vulnerability with a CVSS v.3.1 score of 3.2. A security flaw within GeForce Experience's nvcontainer.exe service, in which a folder is created under standard user login situations, can be abused for privilege escalation or denial of service attacks. However, the user account must already have local system privileges. 

It is recommended that users accept automatic updates to receive the patch as quickly as possible. The vulnerabilities have been fixed in GeForce Experience version

TechRepublic: How to protect your privacy when selling your phone

In July, Nvidia resolved a bug in the service host component of the software. Application resources were not verified properly, allowing attackers to execute arbitrary code, compromise GeForce Experience itself, cause a denial of service, and leak data. 

A critical privilege escalation vulnerability in Jetson, found within the Nvidia JetPack SDK, was also resolved at the same time.  

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards