Multiple vulnerabilities in NVIDIA GeForce Experience
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-6257 CVE-2018-6258 CVE-2018-6259 |
| CWE-ID | CWE-284 CWE-300 CWE-200 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
GeForce Experience Client/Desktop applications / Other client software |
| Vendor | nVidia |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU14597
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6257
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper access control when GameStream is enabled. A local attacker can cause the service to crash or gain elevated privileges.
Update to version 3.14.1.
Vulnerable software versionsGeForce Experience: 3.0 - 3.14.0
CPE2.3- cpe:2.3:a:nvidia:geforce_experience:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:geforce_experience:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:geforce_experience:3.0.7:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/4685
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Man-in-the-middle attack
EUVDB-ID: #VU14598
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6258
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to conduct man-in-the-middle attack on the target system.
The weakness exists due to an error during GameStream installation. A local attacker can conduct MITM-attack and gain access to important data.
Update to version 3.14.1.
Vulnerable software versionsGeForce Experience: 3.0 - 3.14.0
CPE2.3- cpe:2.3:a:nvidia:geforce_experience:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:geforce_experience:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:geforce_experience:3.0.7:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/4685
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU14599
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-6259
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The weakness exists due to an error when GameStream is enabled,. A local attacker can gain access to important data.
Update to version 3.14.1.
Vulnerable software versionsGeForce Experience: 3.0 - 3.14.0
CPE2.3- cpe:2.3:a:nvidia:geforce_experience:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:geforce_experience:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:nvidia:geforce_experience:3.0.7:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/4685
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
