[German]Nvidia has just fixed a critical vulnerability in its Windows GPU graphics driver with an update. The vulnerabilities could lead to privilege escalation and code execution or information theft.
Advertising
The update was released on Friday, February 28, 2020, as I read the following tweet from Bleeping Computer.
NVIDIA Fixes High Severity Flaw in Windows GPU Display Driver – by @sergheihttps://t.co/9JTqOa0vJE
— BleepingComputer (@BleepinComputer) February 28, 2020
The driver update for the GPU graphics driver fixes several security vulnerabilities with high and medium severity.
The vulnerabilities
The two vulnerabilities in the Windows GPU graphics drivers have CVSS V3 base ratings of 6.7 to 8.4, while three NVIDIA vGPU software bugs have received a severity rating of between 5.5 and 7.8. On unpatched systems, the following risks arise:
- Local attackers can extend their privileges without user interaction.
- Local attackers could make unpatched hosts temporarily unusable by triggering denial of service attacks, or execute malicious code or access sensitive information on the target systems.
Fortunately, all vulnerabilities require the attacker to be ready to act locally, remote exploitation is not possible. The following table lists the vulnerabilities.
Advertising
CVEs for NVIDIA GPU Display Driver
| CVE | Description | Base Score |
| CVE‑2020‑5957 | NVIDIA Windows GPU Display Driver contains a vulnerability in the NVIDIA Control Panel component in which an attacker with local system access can corrupt a system file, which may lead to denial of service or escalation of privileges. | 8.4 |
| CVE‑2020‑5958 | NVIDIA Windows GPU Display Driver contains a vulnerability in the NVIDIA Control Panel component in which an attacker with local system access can plant a malicious DLL file, which may lead to code execution, denial of service, or information disclosure. | 6.7 |
CVEs for NVIDIA vGPU Software
| CVE | Description | Base Score |
| CVE‑2020‑5959 | NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which an input index value is incorrectly validated, which may lead to denial of service. | 7.8 |
| CVE‑2020‑5960 | NVIDIA Virtual GPU Manager contains a vulnerability in the kernel module (nvidia.ko), where a null pointer dereference may occur, which may lead to denial of service. | 6.5 |
| CVE‑2020‑5961 | NVIDIA vGPU graphics driver for guest OS contains a vulnerability in which an incorrect resource clean up on a failure path can impact the guest VM, leading to denial of service. | 5.5 |
Nvidia has released this security warning with more details about these vulnerabilities and the security update. It also lists which driver versions are affected and which updates are available.
