NVIDIA has released a security update for NVIDIA GPU Display Driver software to patch eight security problems that could lead to code execution, privilege escalation, denial of service or disclosure of information on both Windows and Linux machines.
Although all these software flaws require local user access and cannot be remotely exploited, attackers can take advantage of them by remotely planting malicious tools on a vulnerable NVIDIA GPU Display Driver system.
The problems arise with CVSS V3 base scores ranging from 2.2 to 8.8, with five of them receiving an 8.8 risk assessment from NVIDIA (all affecting the NVIDIA Windows GPU Display Driver), while the 2.2 base score was allocated to the only fault affecting both Windows and Linux machines.
Potential attackers can make vulnerable machines unusable by triggering CVEs that lead to a denial of service status, while unpatched code execution vulnerabilities allow them to run commands or code on the compromised machine.
Would-be attackers can also gather valuable information about systems running an outdated version of the NVIDIA GPU Display Driver by exploiting the problems leading to the disclosure of information.
On the other hand, the escalation of CVE privileges allows attackers to increase their privileges and gain permissions beyond those originally granted by the system. NVIDIA’s software flaws in its security update in February 2019 are listed below, along with a full description and the CVSS V3 Base Score assigned to each of them.
According to NVIDIA:
“The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.”
The NVIDIA GPU Display Driver -February 2019 security bulletin also contains a complete list of software products affected by NVIDIA’s security problems in its February 2019 security update.
All users are advised to update their drivers by using the security update on the NVIDIA Driver Downloads page as soon as possible. While the installation of the software update is sufficient to fix the security problems in the table above, one exception is the cross-platform problem tracked as CVE-2018-6260, which requires some additional steps:
Windows Graphics Driver: Refer to the Developer->Manage GPU Performance Counters section of the NVIDIA Control Panel Help for the additional steps required. If you are an enterprise customer, refer to the instructions in the Product Release Notes.
Linux Graphics Driver: Refer to the Restricting Access to GPU Performance Counters section of the Linux driver Readme