NVIDIA Fixes High Severity Flaws In Windows Display Driver
NVIDIA has released security updates to address high severity vulnerabilities in the Windows GPU display driver that could lead to code execution, escalation of privileges, information disclosure, and denial of service.
All GPU display driver bugs fixed by NVIDIA this month require local user access which means that attackers will need to first get a foothold on the systems to exploit these vulnerabilities.
Once is achieved, they could take exploit them by remotely planting malicious tools or running code designed to target one of the fixed issues on devices running unpatched NVIDIA GPU drivers.
The security updates also fix high severity flaws in the NVIDIA Virtual GPU Manager which may lead to denial of service, code execution, and information disclosure when successfully exploited.
Windows driver security issues
The GPU display driver issues impact Windows machines and they come with CVSS V3 base scores ranging from 4.4 to 7.8, while the NVIDIA GPU bugs have severity ratings between 5.5 and 8.8.
By abusing these vulnerabilities attackers can escalate their privileges without needing user interaction to get permissions above the ones they were initially granted by the compromised systems.
When successfully exploited, these vulnerabilities could also enable them to execute malicious code, to render unpatched machines temporarily unusable by triggering denial of service states, or to access sensitive information.
The security issues fixed by NVIDIA as part of the September 2020 security updates are listed in the table embedded below, with full descriptions and their respective CVSS V3 base scores.
Also Read: The Importance Of DPIA And Its 3 Types Of Processing
CVE IDs | Description | Base Score |
---|---|---|
CVE‑2020‑5979 | NVIDIA Display Driver contains a vulnerability in the Control Panel component in which a user is presented with a dialog box for input by a high-privilege process, which may lead to escalation of privileges. | 7.8 |
CVE‑2020‑5980 | NVIDIA Windows GPU Display Driver contains a vulnerability in multiple components in which a securely loaded system DLL will load its dependencies in an insecure fashion, which may lead to code execution or denial of service. | 7.8 |
CVE‑2020‑5981 | NVIDIA Windows GPU Display Driver contains a vulnerability in the DirectX11 user mode driver (nvwgf2um/x.dll ), in which a specially crafted shader can cause an out of bounds access which may lead to denial of service. | 7.8 |
CVE‑2020‑5982 | NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys ) scheduler, in which the software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests, which may lead to denial of service. | 4.4 |
NVIDIA says that the “risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation” and it recommends consulting a professional to accurately evaluate the risk of your specific system configuration.
The high severity CVE‑2020‑5979 flaw was reported by Jo Hemmerlein of Microsoft, CVE‑2020‑5980 by Andy Gill of Pen Test Partners LLP, while CVE‑2020‑5981 was reported by Cisco Talos’ Piotr Bania.
Impacted NVIDIA GPU driver versions
The full list of driver and software versions affected by these vulnerabilities can be found in the NVIDIA GPU Display Driver – September 2020 security bulletin.
NVIDIA urges customers to update their GeForce, Quadro, NVS, and Tesla GPU display drivers, as well as Virtual GPU Manager and guest driver software by applying security updates available via the NVIDIA Driver Downloads page.
The company says that some users may receive Windows GPU display driver 456.41, 452.11, and 446.29 versions from their computer hardware vendors also bundling the security updates released today.
To find your NVIDIA GPU display driver’s version you can follow the procedure detailed here.
Enterprise users have to log into the NVIDIA Enterprise Application Hub to get the NVIDIA vGPU software updates via the NVIDIA Licensing Center.
Also Read: 10 Principles On How To Build A Good Governance Model
0 Comments