Nvidia patches critical vulnerabilities in GeForce software and GPUs

Nvidia released software updates for multiple critical flaws which would allow attackers escalate privileges, steal data or perform a denial of service

Nvidia patches critical flaws

The American tech giant Nvidia recently released an update for the GeForce Experience software as well as multiple GPU drivers, which patched 12 vulnerabilities or critical and medium severity. If exploited, the flaws could allow the attacker to harvest data, initiate a denial of service (DoS),[1] escalate privileges, and even perform remote code execution on the affected device. Nvidia released two advisories detailing each of the CVEs that affect the Graphic card drivers,[2], as well as GeForce Experience.[3]

GeForce Experience is software designed by Nvidia to provide users with useful features, such as automatic updates for the GPUs, streaming function, communication feature, gaming performance optimization, and much more. The program is installed with Nvidia drivers of other products to enhance the user experience, although it can freely be uninstalled if so desired. Nevertheless, Nvidia drivers are mandatory for each graphics processing unit, as the hardware would simply not work without software.

The vulnerabilities and the impact

Out of 12 patched vulnerabilities, eight were marked as by CVSS V3 score as a medium, while the other four were assigned a high-risk score. According to CVSS assignments, the score of the flaws ranged between 5.1 and 7.8, and was appointed the following CVE numbers (GPU drivers):

CVE‑2019‑5690 (7.8), CVE‑2019‑5691 (7.8), CVE‑2019‑5692 (7.1), VE‑2019‑5693 (6.5), CVE‑2019‑5694 (6.5), CVE‑2019‑5695 (6.5), CVE‑2019‑5696 (5.5), CVE‑2019‑5697 (5.3)

The remaining three vulnerabilities were found in GeForce Experience and were assigned the following CVE numbers and severity scores:

CVE‑2019‑5701(7.8), CVE‑2019‑5689 (6.7), CVE‑2019‑5695 (6.5)

Multiple of these flaws would allow the attacker to completely shut down the access to compromised machines or networks, preventing users’ access to it. Additionally, it is also possible to gain escalated privileges and then execute remote code on the target machine, possibly inserting malicious payloads. Finally, these vulnerabilities could grant the attacker the ability to disclose victims’ information entered on the computer.

The affected users are urged to update Nvidia products immediately

Graphic drivers are crucial for any GPU. However, these software elements can also be affected by vulnerabilities that might be exploited in the wild. That being said, Nvidia is one of the most popular GPU providers in the world, accounting for 80% of sales worldwide.[4] Thus, if you are one of the users who use tech giants’ GPUs and GeForce Experience, you should immediately update to patch the flaws.

The new version of GeForce Experience – 3.20.1 – patches all three vulnerabilities, and leaving all the previous versions vulnerable. Security flaws were spotted in all versions of Quatro, NVS, and Tesla products, and security updates for these should roll out next week. All GeForce R440 versions before 441.12 are vulnerable to the flaws. Nvidia claimed, despite these pointers, the risk assessment could vary based on various configurations:

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

All users can visit the official website and download the required patches from there.[5] Nvidia thanked researchers from CTIVELabs, the Chengdu University of Technology, and SafeBreach Labs for finding and reporting the flaws for fixing.