NVIDIA released a security update for the NVIDIA GeForce Experience software for Windows to patch a vulnerability that could allow potential local attackers with basic user privileges to elevate privileges, trigger code execution, and perform denial-of-service (DoS) attacks.

While this vulnerability requires local user access and cannot be exploited remotely, would-be attackers could take advantage of them by planting malicious tools remotely using various means on a system running a vulnerable version of the NVIDIA GeForce Experience.

Security issue rated as high severity by NVIDIA

Taking advantage of this vulnerability, bad actors can escalate their privileges thus making it possible to gain permissions beyond the ones initially granted by the system.

This would allow them to execute malicious code on the compromised systems and also to render vulnerable machines unusable by triggering a denial of service state.

The software flaw fixed by NVIDIA in detailed below, together with a full description and the assigned CVSS V3 Base Score.

CVE Description Base Score Vector CVE‑2019‑5674 NVIDIA GeForce Experience contains a vulnerability when ShadowPlay or GameStream is enabled. When an attacker has access to the system and creates a hard link, the software does not check for hard link attacks. This behavior may lead to code execution, denial of service, or escalation of privileges. 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

The fixed security issue tracked as CVE-2019-5674 was reported by David Yesland of Rhino Security Labs, and it comes with a high severity rating and an 8.8 base score from NVIDIA.

As detailed by Yesland in a blog post published one day after NVIDIA issued the security update and published their advisory:

This vulnerability allowed any system file to be overwritten due to insecure permissions set on log files which GFE writes data to as the SYSTEM user. Additionally, one log file contained data that could be user-controlled, allowing commands to be injected into it and then written to as a batch files leading to code execution on other users and potentially privilege escalation.

Impacts all GeForce Experience versions prior to 3.18

CVE-2019-5674 affects Windows computers where a version of NVIDIA GeForce Experience prior to 3.18 is installed and ShadowPlay or GameStream are enabled.

According to NVIDIA's advisory, the "risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration."

To apply the security update, NVIDIA GeForce Experience users can download the latest version from the GeForce Experience Downloads page, or launch the client on their Windows computers to have it applied using the built-in automatic update mechanism.

Last month, NVIDIA also released a security update for the NVIDIA GPU Display Driver software which patched eight security issues that could have lead to code execution, escalation of privileges, denial of service, or information disclosure on vulnerable Windows and Linux machines.

Update March 27 10:22 EDT: Added David Yesland's vulnerability description and a link to his in-depth analysis on how CVE-2019-5674 could be exploited.

Update March 27 15:48 EDT: Removed NvContainer from the list of GeForce Experience features needed to be enabled for CVE-2019-5674 to be exploitable after NVIDIA updated their advisory.