NVIDIA Patches High-Severity GeForce Spoof-Attack Bug

by | Jun 29, 2021 | News

Reading Time: 1 Minute

 

NVIDIA gaming graphics software called GeForce Experience, bundled with the chipmaker’s popular GTX GPU, is flawed and opens the door to a remote attacker that can exploit the bug to steal or manipulate data on a vulnerable Windows computer.

 

NVIDIA notified customers late last week of the bug and released a software patch for the flaw, which is present in its GeForce Experience (versions 3.21 and prior) Windows software. A 3.23 GeForce update is available now to mitigate the bug.

The bug is tracked as CVE‑2021‑1073, with a CVSS severity rating of 8.3 (high). The company warned: “NVIDIA GeForce Experience software contains a vulnerability where, if a user clicks on a maliciously formatted link that opens the GeForce Experience login page in a new browser tab instead of the GeForce Experience application and enters their login information, the malicious site can get access to the token of the user login session. Such an attack may lead to these targeted users’ data being accessed, altered, or lost.”

 

Who is Vulnerable to the NVIDIA Spoofing-Attack Bug?

 

The prerequisites for an attack, known as a spoofing attack, include an adversary with network or remote access to the vulnerable PC. According NVIDIA details, because the victim must be coaxed into clicking on a malicious link, the attack is considered complex, reducing the risk of a successful exploitation.

 

See Also: 30M Dell Devices at Risk for Remote BIOS Attacks, RCE

 

 

The spoofing attack vulnerability is tied to incorrect processing of “special formatted links” in the NVIDIA GeForce Experience software. “A remote attacker can create a specially crafted link that opens the GeForce Experience login page in a new browser tab instead of the GeForce Experience application and enters their login information, the malicious site can get access to the token of the user login session,” according to a breakdown of the bug posted to Cybersecurity Help.

NVIDIA did not indicate if this vulnerability has been exploited. However, working exploits of the attack are not publicly available.

 

How to Protect Your NVIDIA’s GeForce Software from Attacks

 

Those affected are advised to download and install the software update via the GeForce Experience Download page or to simply open the software client, which will then automatically update the software.

 

 

See Also: Offensive Security Tool: Pixload

 

GeForce Experience is free software bundled with NVIDIA’s graphics cards and specifically designed to enhance PC gaming performance. It allows users to monitor and optimize system performance, grab in-game screenshots, and record or livestream game play to communities such as Twitch.

Last Monday, the chipmaker also reported nine high-severity bugs in its Jetson SoC framework. The flaws were tied to the way the firmware handled low-level cryptographic algorithms.

Previous GeForce Experience bugs have included a software patch issued in October that fixed a flaw that enabled code execution and conditions ripe for a denial-of-service (DoS) attack.  In March 2019, NVIDIA warned of security issues affecting its GeForce brand, including an issue affecting GeForce Experience in 2019 that could lead to code execution or DoS of products if exploited.

See Also: Hacking Stories: Andrian Lamo – The ‘homeless’ Hacker

 

Source: threatpost.com

 

(Click Link)

style="display:block; text-align:center;" data-ad-layout="in-article" data-ad-format="fluid" data-ad-client="ca-pub-6620833063853657" data-ad-slot="4517761481">
Share This