SB2018101208 - Multiple vulnerabilities in NVIDIA GeForce Experience
Published: October 12, 2018
Security Bulletin ID
SB2018101208
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Privilege escalation (CVE-ID: CVE‑2018‑6261)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to GameStream is enabled which sets incorrect permissions on a file. A local attacker can cause the service to crash or execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Information disclosure (CVE-ID: CVE‑2018‑6262)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The weakness exists due to limited sensitive user information may be available to users with system access when GameStream is enabled. A local attacker can gain access to users credentials.
Remediation
Install update from vendor's website.