Both of those Nvidia and Intel faced significant security issues this week – including a substantial-severity bug in Nvidia’s GeForce NOW.
Nvidia is red-flagging a superior-severity flaw in its GeForce NOW software computer software for Windows. An attacker on a regional network can exploit the flaw in buy to execute code or get escalated privileges on affected gadgets.
GeForce NOW is the model applied by Nvidia for its cloud-dependent gaming assistance, which permits authentic-time gameplay on desktops, laptops, Macs and Android units. With an believed user base of 4 million, the assistance is wildly common in the gaming community.
In a Tuesday security advisory, Nvidia revealed a flaw in the common assistance (CVE‑2020‑5992) that has a CVSS rating of 7.3.
The bug stems from an “open-source software program dependency” having to do with the OpenSSL library, which is a software package library for programs that safe communications over personal computer networks versus eavesdropping or which have to have to identify the occasion at the other stop.
In this condition, OpenSSL library is vulnerable to binary planting assaults, according to Nvidia in its security advisory. Binary planting is a form of attack in which the attacker “plants” a binary file that incorporates destructive code inside a (in this circumstance neighborhood) file system, in order for a vulnerable application to load and execute it.
All variations prior to 2..25.119 are impacted customers are urged to update to edition 2..25.119.
“To secure your procedure, open the GeForce NOW software to automatically download the update and adhere to the directions for applying it,” according to Nvidia.
Nvidia has not long ago faced different security issues in its gaming-helpful goods. That includes two new flaws in the Windows model of its GeForce Working experience program. The most severe flaw of the two (CVE-2020-5977) can lead to a slew of destructive attacks on influenced units – such as code execution, denial of assistance, escalation of privileges and facts disclosure.
In October, Nvidia also released a patch for a critical bug in its significant-efficiency line of DGX servers that could open the doorway for a remote attacker to acquire handle of and accessibility sensitive info on programs usually operated by governments and Fortune-100 firms.
Other Processor Security Issues
Chip manufacturers have deployed a slew of security updates this past week. A enormous Intel security update on Tuesday, for instance, addressed flaws throughout a myriad of solutions – most notably, critical bugs that can be exploited by unauthenticated cybercriminals in get to acquire escalated privileges. These critical flaws exist in merchandise connected to Wireless Bluetooth – together with various Intel Wi-Fi modules and wi-fi network adapters – as perfectly as in its remote out-of-band management resource, Active Management Technology (AMT).
Also this 7 days, researchers unveiled a new way to steal cryptographic keys from Intel chips by means of a new aspect-channel attack, which they call PLATYPUS.
The attack stems from the ability to exploit the Intel Jogging Common Ability Limit (RAPL) interface. RAPL permits checking and managing the electrical power usage of the CPU and DRAM in software. By launching a facet-channel attack in opposition to RAPL, researchers had been able to not only distinguish distinctive keys, but also reconstruct whole cryptographic keys.
Intel for its element mentioned that the flaws (CVE-2020-8694 and CVE-2020-8695) are medium-severity. Which is in aspect because of to the point that in purchase to launch an attack, a terrible actor would need to have local obtain to a system, and would want to be authenticated or privileged.
The chip-maker encouraged that end users of influenced Intel CPUs update to the most up-to-date firmware model furnished by the program company (a total list of afflicted Intel chips and updates can be observed in this article).
“Intel suggests that consumers of impacted Intel Processors put in the updates furnished by their software program sellers,” in accordance to Intel’s advisory. “In Linux, for the alter to be helpful it will call for a reboot. If a reboot is not achievable, Intel recommends altering the permissions of the impacted sysfs characteristics so that only privileged people can accessibility them.”
Hackers Place Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are acquiring hammered by ransomware assaults in 2020. Save your place for this Totally free webinar on health care cybersecurity priorities and hear from major security voices on how details security, ransomware and patching want to be a priority for every single sector, and why. Be a part of us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, restricted-engagement webinar.