Nvidia revealed a high-severity vulnerability (CVE‑2020‑5992) in its GeForce NOW application software for Windows—used for its cloud-based gaming service which provides real-time gameplay on desktops, laptops, Mac, and Android devices. GeForce Now is a freemium subscription service that lets gamers play games on Nvidia’s own servers, accessing the games remotely from client machines. An attacker can exploit the issue with the intent to execute code or gain privileges on affected devices. It’s worth noting the service has an estimated user base of 4 million people.
The vulnerability has a CVSS score of 7.3.
“NVIDIA GeForce NOW application software on Windows contains a vulnerability in its open-source software dependency in which the OpenSSL library is vulnerable to binary planting attacks by a local user, which may lead to code execution or escalation of privileges,” states the advisory.
Binary planting is a type of attack where the attacker “plants” a binary file that contains malicious code inside a (in this case local) file system, in order for a vulnerable application to load and execute it.
All versions prior to 220.127.116.11 are affected; users are urged to update to version 18.104.22.168. “To protect your system, open the GeForce NOW application to automatically download the update and follow the instructions for applying it,” according to Nvidia.