NVIDIA released security updates to fix 12 high and medium severity vulnerabilities in the Windows GPU display driver and the NVIDIA GeForce Experience (GFE) software.

NVIDIA GFE is a GeForce GTX graphics card companion app which, according to NVIDIA, "keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends."

The flaws addressed by NVIDIA today could lead to code execution, escalation of privileges, information disclosure, and denial of service on vulnerable Windows computers after exploitation.

All of today's patched security issues require local user access and cannot be exploited remotely, with attackers having to depend on user interaction to execute the exploits designed to abuse one of the fixed bugs on unpatched systems.

High severity security issues

The patched vulnerabilities received CVSS V3 base scores ranging from 5.1 to 7.8 from NVIDIA, with four of them having received high severity risk assessments, while eight others were assigned medium risk base scores, all of them impacting Windows systems.

By exploiting security issues, attackers can escalate their privileges making it possible to gain permissions above the ones granted by the compromised system initially.

These flaws would also enable them to render vulnerable machines temporarily unusable by triggering denial of service states, as well as locally execute malicious code on the vulnerable Windows machines.

The GPU Display Driver security issues fixed by NVIDIA in the November 2019 security updates are listed below, together with full descriptions and their CVSS V3 base scores.

CVE Description Base Score CVE‑2019‑5690 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the size of an input buffer is not validated, which may lead to denial of service or escalation of privileges. 7.8 CVE‑2019‑5691 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which a NULL pointer is dereferenced, which may lead to denial of service or escalation of privileges. 7.8 CVE‑2019‑5692 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the product uses untrusted input when calculating or using an array index, which may lead to escalation of privileges or denial of service. 7.1 CVE‑2019‑5693 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) in which the program accesses or uses a pointer that has not been initialized, which may lead to denial of service. 6.5 CVE‑2019‑5694 NVIDIA Windows GPU Display Driver contains a vulnerability in NVIDIA Control Panel in which it incorrectly loads Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), which may lead to denial of service or information disclosure through code execution. The attacker requires local system access. 6.5 CVE‑2019‑5695 NVIDIA Windows GPU Display Driver contains a vulnerability in the local service provider component in which an attacker with local system and privileged access can incorrectly load Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), which may lead to denial of service or information disclosure through code execution. 6.5 CVE‑2019‑5696 NVIDIA Virtual GPU Manager contains a vulnerability in which the provision of an incorrectly sized buffer by a guest VM leads to GPU out-of-bound access, which may lead to a denial of service. 5.5 CVE‑2019‑5697 NVIDIA Virtual GPU Manager contains a vulnerability in which it may grant a guest access to memory that it does not own, which may lead to information disclosure or denial of service. 5.3 CVE‑2019‑5698 NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which an input index value is incorrectly validated, which may lead to denial of service. 5.1

The GFE security issues are also listed in the table below, with full descriptions and CVSS V3 base scores.

CVE Description Base Score CVE‑2019‑5701 NVIDIA GeForce Experience contains a vulnerability when GameStream is enabled in which an attacker with local system access can load the Intel graphics driver DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), which may lead to denial of service, information disclosure or escalation of privileges through code execution. 7.8 CVE‑2019‑5689 NVIDIA GeForce Experience contains a vulnerability in the Downloader component in which a user with local system access can craft input that may allow malicious files to be downloaded and saved.This behavior may lead to code execution, denial of service, or information disclosure. 6.7 CVE‑2019‑5695 NVIDIA GeForce Experience contains a vulnerability in the local service provider component in which an attacker with local system and privileged access can incorrectly loads Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), which may lead to denial of service or information disclosure through code execution. 6.5

The "risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation," according to the security advisories. "NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration."

NVIDIA also acknowledges the following reporters for disclosing some of the issues patched today:

Hashim Jawad of ACTIVELabs: CVE-2019-5701

Siyuan Yi of Chengdu University of Technology: CVE-2019-5689

Peleg Hadar of SafeBreach Labs: CVE-2019-5694, CVE-2019-5695, CVE-2019-5695

NVIDIA's two advisories published today here and here also list the driver and GeForce Experience versions impacted by the 12 patched security issues.

Users are urged to update their GeForce, Quadro, NVS, and Tesla Windows GPU display drivers by applying the security update available on the NVIDIA Driver Downloads page. Some of the affected driver versions will receive patches during the week of November 18 as per NVIDIA.

The company also advises customers to patch their GeForce Experience software by downloading the latest version from the GeForce Experience Downloads page or by launching the client to have it applied via the automatic update mechanism