NVIDIA has released security updates for the NVIDIA GPU Display Driver and the NVIDIA Virtual GPU Manager that fix a variety of serious vulnerabilities.
The driver security update should be implemented by users of the company’s desktop, workstation and data center GPUs, while the vGPU software update is available for the Virtual GPU Manager component on Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, and Nutanix AHV enterprise virtualization solutions.
NVIDIA GPU Display Driver security updates
Four security holes have been plugged in the Display Driver:
- CVE‑2020‑5979 affects the Control Panel component and may lead to privilege escalation
- CVE‑2020‑5980 affects multiple components and may lead to code execution or DOS
- CVE‑2020‑5981 affects the DirectX11 user mode driver and can, according to NVIDIA, lead to DoS
- CVE‑2020‑5982 affects the kernel mode layer and can lead to DoS.
CVE‑2020‑5980 was unearthed by Andy Gill of Pen Test Partners and the discovery detailed in a blog post published on Thursday.
The vulnerability allows for DLL hijacking, i.e., exploitation of execution flow of an application via external DLLs.
“If a vulnerable application is configured to run at a higher privilege level, then the malicious DLL that is loaded will also be executed at a higher level, thus achieving escalation of privilege. Often the application will behave no differently because malicious DLLs may also be configured to load the legitimate DLLs they were meant to replace or where a DLL doesn’t exist,” Gill explained.
CVE‑2020‑5981 was discovered by Piotr Bania of Cisco Talos. The CVE number covers multiple vulnerabilities and, Cisco claims, they could be exploited to achieve remote code execution (and not just DoS).
“An adversary could exploit these vulnerabilities by supplying the user with a malformed shader, eventually allowing them to execute code on the victim machine. These bugs could also allow the attacker to perform a guest-to-host escape through Hyper-V RemoteFX on Windows machines,” they say.
Users are advised to check which NVIDIA display driver version is currently installed on their system(s) and update it if necessary (updates are available from here).
NVIDIA vGPU Software security updates
Vulnerabilities CVE‑2020‑5983 to CVE‑2020‑5989 are found in the vGPU plugin and could lead to DoS, information disclosure, code execution, tampering, and privilege escalation.
Users are advised to upgrade to vGPU Software versions 11.1, 10.4, or 8.5 – updates are available through the NVIDIA Licensing Portal.