A serious vulnerability in NVIDIA GeForce Experience posed a severe threat to the gamers. More specifically, the software vulnerability threatened users of Windows systems.
Serious GeForce Experience Vulnerability Discovered
Reportedly, researcher, David Yesland from Rhino Security Labs, discovered a serious security flaw in NVIDIA GeForce Experience software. According to his findings, exploiting the vulnerability could lead to denial of service, privilege escalation, and even code execution. GeForce Experience is a supplementary application by NVIDIA installed alongside GeForce products for automatic game settings optimization and added functionality.
The researcher has shared his findings in a detailed blog post. As disclosed by Yesland, he observed an arbitrary file write vulnerability affecting the system. Describing in brief about the bug, he stated,
“This vulnerability allowed any system file to be overwritten due to insecure permissions set on log files which GFE writes data to as the SYSTEM user. Additionally, one log file contained data that could be user-controlled, allowing commands to be injected into it and then written to as a batch files leading to code execution on other users and potentially privilege escalation.”
Yesland has explained the technicalities associated with this flaw in his blog post. He has also demonstrated a detailed PoC in his blog post alongside a basic brief on Github.
NVIDIA Patched The Flaw
NVIDIA has also acknowledged Yesland’s findings for the vulnerability CVE‑2019‑5674. Explaining this vulnerability in their security advisory, they stated,
“NVIDIA GeForce Experience contains a vulnerability when ShadowPlay or GameStream is enabled. When an attacker has access to the system and creates a hard link, the software does not check for hard link attacks. This behavior may lead to code execution, denial of service, or escalation of privileges.”
The vendors labeled it a high severity bug that achieved a CVSS base score of 8.8. As explained, the vulnerability affected all GeForce Experience software versions prior to 3.18 for Windows Operating system. NVIDIA has fixed the bug in the software version 3.18. Thus, the users must ensure upgrading their devices to the latest version to avoid potential threats.