Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACTIVE-2019-011: NVIDIA GeForce Experience Local Privilege Escalation

Vulnerability Type:

Privilege Escalation

Vendors:

NVIDIA Corporation

CVE ID:

CVE-2019-5701

Affected Products:

  • GeForce Experience version 3.20.0.118 and older

Summary:

GeForce Experience version 3.20.0.118 and older suffer from local privilege escalation due to the lack of safe DLL loading. This vulnerability allows local non-privileged users to perform DLL Hijacking via any writable directory listed under the system path and ultimately execute code as NT AUTHORITY\SYSTEM.

Mitigation:

The vendor has released a patch in version 3.20.1.57 addressing this vulnerability.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

Disclosure Timeline:

  • 09-03-19: ACTIVELabs sent vulnerability details to NVIDIA PSIRT
  • 09-04-19: NVIDIA PSIRT acknowledge report and opened a case
  • 09-11-19: ACTIVELabs requested status update
  • 09-11-19: NVIDIA PSIRT responded that the product team is still working to reproduce the issue
  • 09-13-19: NVIDIA PSIRT requested additional information
  • 09-13-19: ACTIVELabs sent requested information
  • 09-19-19: ACTIVELabs sent supplementary vulnerability details to NVIDIA PSIRT
  • 09-23-19: ACTIVELabs requested status update
  • 09-23-19: NVIDIA PSIRT was able to reproduce the issue and patch is scheduled for release by the end of October
  • 10-28-19: ACTIVELabs requested an update and provided copy of draft blog post which will be published after patch release
  • 10-28-19: NVIDIA PSIRT responded with details about release dates and requested blog post for review
  • 10-28-19: ACTIVELabs sent blog post draft
  • 11-04-19: Patch released
  • 11-06-19: NVIDIA security bulletin published
  • 11-06-19: CVE-2019-5701 assigned
  • 11-07-19: ACTIVELabs publishes this advisory