After the reports of vulnerabilities, Nvidia has released security patches for its GeForce Experience software and GPU display driver. On Thursday, Nvidia published two sets of security advisories explaining all the vulnerabilities. According to the tech giant, the most severe vulnerabilities could allow code execution and information disclosure. Nvidia has advised everyone to install the patch as they receive it.
The GeForce experience had three vulnerabilities, the first one was discovered by Hashim Jawad of ACTIVELabs. The vulnerability was labeled as CVE-2019-5701 that can allow an attacker with local access to load Intel graphics driver DLLs without path validation. It can lead to arbitrary code execution, privilege escalation, denial-of-service (DOS) or information disclosure. The second vulnerability was found by Siyuan Yi of the Chengdu University of Technology and it was found within the GeForce downloader. Labeled as CVE-2019-5689 it was able to create and execute code to transfer and save malicious files. The third vulnerability, labeled CVE-2019-5695, was discovered by Peleg Hadar of SafeBreach Labs. It was found inside the GeForce local service provider component. With local and privileged access, a hacker could use an incorrect Windows system DLL loading to cause DOS (denial of service) or data theft.
The GPU display driver had six vulnerabilities, which according to Nvidia could cause severe damage. The most critical vulnerability was labeled as CVE-2019-5690 and it could lead to DoS or privilege escalation. It was an issue in the kernel mode layer handler, the vulnerability could cause invalid input size. The second vulnerability CVE-2019-5691 was also found in the same system, in which null pointer errors were exploited with the same outcome. CVE-2019-5692 and CVE-2019-5693 were also in the kernel-mode handler, where CVE-2019-5692 caused DoS and CVE-2019-5693 could lead to service denial if exploited.
The other two vulnerabilities CVE-2019-5694 and CVE-2019-5695 were found in the display driver that led to incorrect DLL loading problems and DoS. According to Nvidia, these vulnerabilities were found in versions older than 3.20.1 of Nvidia GeForce Experience.