NVIDIA removed two dangerous vulnerabilities in its GeForce Experience product and urged users to download and install the latest updates in the nearest future to secure the system.The first bug with the CVE‑2019-5678 identifier received a score of 7.8 on the CVSS scale. The vulnerability affected the Web Helper component, which is responsible for downloading and installing drivers, logging into an NVIDIA account and other similar tasks.
The problem was in incorrect validation of the input data. Attackers with local access to the system could enter potentially harmful information and execute arbitrary code. This resulted in denial in service or disclosure of confidential information.
Vulnerability discovered David Yesland from Rhino Security Labs security company.
The second vulnerability, CVE‑2019-5676, scored 7.2 on the CVSS scale. It affected the GeForce Experience installer and is associated with incorrect loading of Windows system DLLs. With local access to the system, the bug allowed to execute code in order to increase privileges in the system.
Several researchers reported the error at once, including FortiGuard Labs Senior Security Engineer Kushal Arvind Shah, and a independent experts Yasin Suleiman, Marius Gabriel Mihai and others.
“The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration”, — informed in company.
GeForce Experience is software for gamers with using GTX graphics cards. It keeps drivers up-to-date and optimizes game settings. Bugs are present in all versions of the GeForce Experience for Windows that are older than 3.19.
This year, the GeForce Experience software has already found serious errors that threaten the execution of malicious code and denial of service. For example, in March, Google developers fixed vulnerabilities in NVIDIA components for Android mobile devices. Last month company eliminated three bugs in the product GPU Display Driver, AND CVE-2019-5676 was one of those bugs.