Nvidia has disclosed a group of security vulnerabilities in the Nvidia graphics processing unit (GPU) display driver, which could subject gamers and others to privilege-escalation attacks, arbitrary code execution, denial of service (DoS) and information disclosure.
Meanwhile, the Nvidia virtual GPU (vGPU) software also has a group of bugs that could lead to a range of similar attacks.
The most severe of the five bugs in the GPU display driver is tracked as CVE-2021-1074, which rates 7.5 out of 10 on the CVSS vulnerability scale, making it high-severity. It exists in the display driverโs installer, and allows an attacker with local system access to replace an application resource with malicious files. Such an attack may lead to code execution, escalation of privileges, denial of service, or information disclosure.
Join Threatpost for โFortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacksโ a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.
Another high-severity bug, CVE-2021-1075, rates 7.3 on the CVSS scale. NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the program dereferences a pointer that contains a location for memory that is no longer valid, which may lead to code execution, denial of service, or escalation of privileges.
Two medium-severity flaws, CVE-2021-1076 and CVE-2021-1077, both rate 6.6 on the CVSS scale. The former NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption. The latter NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 driver branch, contains a vulnerability where the software uses a reference count to manage a resource that is incorrectly updated, which may lead to denial of service.
And finally, the medium-severity CVE-2021-1078 rates 5.5 on the CVSS scale and NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel driver (nvlddmkm.sys) where a NULL pointer dereference may lead to system crash.
Meanwhile, Nvidiaโs vGPU software has eight different security holes. The virtualized GPU allows computing acceleration tailored for resource-intensive workloads like graphics-rich virtual workstations, data science and artificial intelligence.
The first four bugs are high-severity input-validation bugs that can lead to information disclosure, data tampering or DoS.
These are:
The other four could lead to a variety of outcomes if exploited:
Nvidia has released patches to mitigate all of the bugs, which uses can download at through the Nvidia Driver Downloads page or, for the vGPU software update, through the Nvidia Licensing Portal. Affected version tables are available in Nvidiaโs advisory, released Friday.
Nvidia continues to address security bugs on a regular basis. In January, it released fixes tied to 16 CVEs across its graphics drivers and vGPU software, in its first security update of 2021. And soon after, it issued patches for its Tesla-based GPUs and its Shield TV lineup.
Download our exclusive FREE Threatpost Insider eBook,โ2021: The Evolution of Ransomware,โ to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover whatโs next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now โ on us!
nvd.nist.gov/vuln/detail/CVE-2021-1074
nvd.nist.gov/vuln/detail/CVE-2021-1075
nvd.nist.gov/vuln/detail/CVE-2021-1076
nvd.nist.gov/vuln/detail/CVE-2021-1077
nvd.nist.gov/vuln/detail/CVE-2021-1078
nvidia.custhelp.com/app/answers/detail/a_id/5172
threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART
threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART
threatpost.com/nvidia-gamers-dos-data-loss-shield-tv-bugs/163200/
threatpost.com/nvidia-windows-gamers-graphics-driver-flaws/162857/
threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar
threatpost.com/webinars/fortifying-your-business-against-attacks/?utm_source=ART&utm_medium=ART&utm_campaign=May_Zoho_Webinar
www.nvidia.com/Download/index.aspx