Lucene search

K
nvidiaNvidiaNVIDIA:5076
HistoryOct 22, 2020 - 12:00 a.m.

Security Bulletin: NVIDIA GeForce Experience - October 2020

2020-10-2200:00:00
nvidia.custhelp.com
11

4.6 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

29.5%

NVIDIA has released a software security update for NVIDIA® GeForce Experience™ software. This update addresses issues that may lead to denial of service, escalation of privileges, code execution, or information disclosure. To protect your system, download and install this software update from the GeForce Experience Downloads page or open the client to automatically apply the security update. >Go to NVIDIA Product Security.

Details

This section provides a summary of potential vulnerabilities and their impact that this security update addresses. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

CVE IDs Description Base Score Vector
CVE‑2020‑5977 NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure. 8.2 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CVE‑2020‑5990 NVIDIA GeForce Experience contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure. 7.3 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE‑2020‑5978 NVIDIA GeForce Experience contains a vulnerability in its services in which a folder is created by nvcontainer.exe under normal user login with LOCAL_SYSTEM privileges which may lead to a denial of service or escalation of privileges. 3.2 AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

Security Updates

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

Download the updates from the GeForce Experience Downloads page or open the client to automatically apply the security update.

CVE IDs Addressed Software Product Operating System Affected Versions Updated Version
CVE‑2020‑5977 CVE‑2020‑5978 CVE‑2020‑5990 GeForce Experience Windows All versions prior to 3.20.5.70 3.20.5.70

Mitigations

See Security Updates for the version to install.

Acknowledgements

NVIDIA thanks following individuals for reporting the issues:

  • CVE‑2020‑5977: Xavier DANEST of Decathlon and Boris Ryutin
  • CVE‑2020‑5978: Hashim Jawad of ACTIVELabs
  • CVE‑2020‑5990: Hashim Jawad of ACTIVELabs
CPENameOperatorVersion
geforce experiencelt3.20.5.70

4.6 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

29.5%

Related for NVIDIA:5076