NvidiaNVIDIA:4740Security Bulletin: NVIDIA GeForce Experience - November 2018
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
5.1%
NVIDIA has released a software update for GeForce Experience. This update addresses issues that may lead to escalation of privileges or information disclosure. To protect your system, download and install this software update through the GeForce Experience Downloads page.
Details
This section summarizes the potential impact that this security update addresses. Descriptions use CWEβ’, and base scores and vectors follow CVSS V3 standards.
| CVE | Description | Base Score | Vector |
|---|---|---|---|
| CVEβ2018β6263 | NVIDIA GeForce Experience contains a vulnerability in which an attacker who has access to a local user account can plant a malicious dynamic link library (DLL) during application installation, which may lead to escalation of privileges. | 8.8 | AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| CVEβ2018β6265 | NVIDIA GeForce Experience contains a vulnerability during application installation on Windows 7 in elevated privilege mode, where a local user who initiates a browser session may obtain escalation of privileges on the browser. | 8.2 | AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVEβ2018β6266 | NVIDIA GeForce Experience contains a vulnerability where a local user may obtain third party integration parameters which may lead to information disclosure. | 5.5 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
NVIDIAβs risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.
Security Updates
The following table lists the software products and versions affected by these potential vulnerabilities, and the updated versions that address these vulnerabilities.
| Software Product | ** Operating System** | ** Affected Versions** | ** Updated Version** |
|---|---|---|---|
| GeForce Experience | Windows | All versions prior to 3.16 | 3.16 |
Download the updates from the NVIDIA GeForce Experience Downloads page, or open the client to automatically apply the security update.
Notes:
- Affected versions include the versions listed and all earlier branches and releases.
- If you are using an unsupported version or an earlier unsupported branch, upgrade to the latest supported version. To identify products that are no longer supported, contact NVIDIA Support.
Mitigations
None. See Security Updates for the versions to install.
Acknowledgements
CVE-2018-6263: NVIDIA thanks Pierre-Alexandre Braeken for reporting this issue.
CVE-2018-6266: NVIDIA thanks Akshay Jain for reporting this issue.
| CPE | Name | Operator | Version |
|---|---|---|---|
| geforce experience | lt | 3.16 |
Related
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
5.1%