Lenovo Security Advisory: LEN-24779
Potential Impact: Information disclosure, denial of service, privilege escalation
Scope of Impact: Industry-wide
CVE Identifier: CVE-2018-6257, CVE-2018-6258, CVE-2018-6259, CVE‑2018‑6261, CVE‑2018‑6262
NVIDIA has released a software update to address potential security vulnerabilities in GeForce Experience. When GameStream is enabled and an unauthorized user gains system access, these issues may lead to limited user information disclosure, denial of service, or escalation of privileges. These vulnerabilities are summarized below.
CVE-2018-6257: NVIDIA GeForce Experience contains a potential vulnerability when GameStream is enabled where improper access control may lead to a denial of service, escalation of privileges, or both.
CVE-2018-6258: NVIDIA GeForce Experience contains a potential vulnerability during GameStream installation where an attacker who has system access can potentially conduct a Man-in-the-Middle (MitM) attack to obtain sensitive information.
CVE-2018-6259: NVIDIA GeForce Experience contains a potential vulnerability when GameStream is enabled, an attacker has system access, and certain system features are enabled, where limited information disclosure may be possible.
CVE-2018-6261: NVIDIA GeForce Experience contains a vulnerability when GameStream is enabled which sets incorrect permissions on a file, which may to code execution, denial of service, or escalation of privileges by users with system access.
CVE-2018-6262: NVIDIA GeForce Experience contains a vulnerability when GameStream is enabled where limited sensitive user information may be available to users with system access, which may lead to information disclosure.
Mitigation Strategy for Customers (what you should do to protect yourself):
NVIDIA recommends updating to the version of NVIDIA GeForce Experience (or later) described for your system in the product impact section. To immediately protect your system, disable the GeForce Experience Share In-game Overlay until the application can be patched.