NVIDIA GeForce Experience - May 2019 - Lenovo Support US

2019-06-1015:17:33

support.lenovo.com

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

17.8%

JSON

Lenovo Security Advisory: LEN-27815

Potential Impact: Privilege escalation, information disclosure, denial of service

Severity: High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2019-5676, CVE-2019-5678

Summary Description:

NVIDIA has released a software update to address potential security vulnerabilities in NVIDIA GeForce Experience. These vulnerabilities are summarized below.

CVE‑2019‑5676: NVIDIA GeForce Experience installer software contains a vulnerability in which it incorrectly loads Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), leading to escalation of privileges through code execution. The attacker requires local system access.

CVE‑2019‑5678: NVIDIA GeForce Experience contains a vulnerability in the Web Helper component, in which an attacker with local system access can craft input that may not be properly validated. Such an attack may lead to code execution, denial of service or information disclosure.

Mitigation Strategy for Customers (what you should do to protect yourself):

NVIDIA recommends updating to the version of NVIDIA GeForce Experience (or later) described for your system in the product impact section.

Product Impact: