Vulnerability Description:
The OpenSSL library included in the GameStream component of GeForce Experience 2.0.0 is subject to the recently disclosed Heartbleed vulnerability. As a result, an attacker who successfully exploited this vulnerability could from another computer read the GameStream service process memory, and potentially steal confidential GameStream session data, including the user password, or decrypt future GameStream sessions.
Exploit Scope and Risk:
To take advantage of this vulnerability, an attacker would need to run Heartbleed exploit software on a remote computer that can directly communicate with the target computer over the local network or internet. Such exploit software is known to exist today and can be readily leveraged by attackers.
Common Vulnerability Scoring System (CVSS) Scoring:
CVSS Base Score - 5.0
Exploitability Subscore - 10.0
Access Vector: Network
Access Complexity: Low
Authentication: None
Impact Subscore - 2.9
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
CVSS Temporal Score - 4.1
Exploitability: Functional exploit exists
Remediation Level: Official fix
Report Confidence: Confirmed
CVSS Environmental Score - [determined by user]
Vulnerable Configurations:
This issue affects all Windows computers with NVIDIA GeForce Experience 2.0.0 software installed. The vulnerable component was included in NVIDIA GeForce Release 337.50 driver and selected Release 331 OEM drivers. To determine whether your current GeForce Experience software is vulnerable, do the following:
- Launch the GeForce Experience client from the Start menu
- Click the Preferences tab, and examine the version number listed.
Vulnerability Discovery:
NVIDIA discovered this vulnerability internally during an assessment of products affected by the OpenSSL Heartbleed vulnerability.
Fix:
NVIDIA has fixed this issue via an NVIDIA GeForce Experience update. To eliminate this vulnerability, we strongly recommend that end users update their systems to NVIDIA GeForce Experience version 2.0.1 or later as follows:
- Launch the GeForce Experience client from the Start menu
- Click the Preferences tab and select Updates in the left navigation pane
- Click Check Now and follow the subsequent instructions
Mitigations:
The following computer security best practices will reduce risks associated with this vulnerability:
- Do not interact with messages, chats or other forms of electronic communications from unknown or untrusted senders
- Do not visit untrusted web sites
- Do not install untrusted software