NVIDIA has released a security update for the application Windows NVIDIA GeForce Experience (GFE) to address vulnerabilities that could allow attackers to execute arbitrary code, escalate privileges, gain access to sensitive information, or cause a denial of service (DoS) condition on systems.
NVIDIA GFE is a utility for cards graphics GeForce GTX that “updates the drivers, automatically optimizes your gaming settings and gives you the easiest way to share your greatest gaming moments with your friends” according to NVIDIA,
While these flaws require attackers to have local user access and cannot be exploited remotely, they can be exploited with malicious tools deployed on systems running vulnerable versions of the NVIDIA GFE application.
In addition, attacks that take advantage of these bugs are low in complexity according to NVIDIA, and also require low privileges and do not require interaction with users.
CVE IDs | Description | Base Score |
---|---|---|
CVE ‑ 2020‑5977 | NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and disclosure information. | 8.2 |
CVE ‑ 2020‑5990 | NVIDIA GeForce Experience contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service, or disclosure information. | 7.3 |
CVE ‑ 2020‑5978 | NVIDIA GeForce Experience contains a vulnerability in its services in which a folder is created by nvcontainer.exe under normal user login with LOCAL_SYSTEM privileges which may lead to a denial of service or escalation of privileges. |
3.2 |