A GPU driver security update has been released by NVIDIA to address five high-and medium-serious vulnerabilities that might lead to local code execution, privilege increases and service denial on vulnerable Windows computers.
All of the security flaws patched by NVIDIA today require local user access and can not be exploited remotely, and potential user interaction for unpatched display drivers can cause potential attackers to run malicious code for one of the fixed bugs on machines.
NVIDIA recommends that users update the GeForce, Quadro, NVS and Tesla Windows GPU drivers by using the NVIDIA Driver Downloads page security update.
Security issues with high severity
The problems with CVSS V3 baselines range from 5.2 to 8.8, three of which have received high-strength NVIDIA risk assessments, while the other two have been given medium-strength, all of which have an effect on Windows machines.
Using these GPU display driver vulnerabilities, potential attackers can increase their privileges by allowing them to gain permissions beyond the default ones that the compromised system originally granted.
These flaws would also enable them to temporarily disabling vulnerable machines by triggering a denial of a service state or malicious code on the affected Windows systems locally.
The security issues fixed by NVIDIA as part of the security updating in August 2019 are listed below, with full descriptions and the company’s assigned CVSS V3 baseline scores.
|CVE‑2019‑5683||NVIDIA Windows GPU Display Driver contains a vulnerability in the user mode video driver trace logger component. When an attacker has access to the system and creates a hard link, the software does not check for hard link attacks. This behavior may lead to code execution, denial of service, or escalation of privileges.||8.8|
|CVE‑2019‑5684||NVIDIA Windows GPU Display Driver contains a vulnerability in DirectX drivers, in which a specially crafted shader can cause an out of bounds access of an input texture array, which may lead to denial of service or code execution.||7.8|
|CVE‑2019‑5685||NVIDIA Windows GPU Display Driver contains a vulnerability in DirectX drivers, in which a specially crafted shader can cause an out of bounds access to a shader local temporary array, which may lead to denial of service or code execution.||7.8|
|CVE‑2019‑5686||NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software uses an API function or data structure in a way that relies on properties that are not always guaranteed to be valid, which may lead to denial of service.||5.6|
|CVE‑2019‑5687||NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which an incorrect use of default permissions for an object exposes it to an unintended actor, which may lead to information disclosure or denial of service.||5.2|
According to NVIDIA’s security, “risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.”
Cisco Talos ‘ Piotr Bania reported two problems, those tracked as CVE-2019-5684 and CVE-2019-5685 which could lead to a service denial or code execution.
The NVIDIA GPU Display Driver today-August 2019 security newsletter also lists the driver versions that have been affected by the five patched security problems:
|Software Product||Operating System||Affected Versions||Updated Version|
|GeForce||Windows||All R430 versions prior to 431.60||431.60|
|Quadro, NVS||Windows||All R430 versions prior to 431.70||431.70|
|All R418 Versions prior to 426.00||426.00|
|All R400 versions||Available the week of August 19, 2019|
|All R390 versions prior to 392.56||392.56|
|Tesla||Windows||All R418 versions||Available the week of August 12, 2019|
NVIDIA says that some users who do not manually patch the flaws may also receive Windows drivers 431.23, 425.85 and 412.39 from their computer hardware vendors.
“The table above may not be a comprehensive list of all affected versions or branch releases and may be updated as more information becomes available,” adds NVIDIA.