Security News > 2021 > April > Gamers update! Nvidia patches GPU driver kernel escalation bugs

Gamers update! Nvidia patches GPU driver kernel escalation bugs
2021-04-28 18:35

The patches cover 13 different CVE numbers, running from CVE-2021-1074 to CVE-2021-1078 for the GPU driver fixes, and from CVE-2021-1080 to CVE-2021-1087 for the vGPU products.

The GPU software bug that ended up with the highest "Base score" using the well-known CVSS bug-rating system was CVE-2021-1074, described as a "Vulnerability in the [GPU driver] installer where an attacker with local system access may replace an application resource with malicious files."

If the installation script language gives control over copying and replacing files or can specify external programs to run at install or update time, a crook may be able to trick the installer into performing malicious activities without needing a new and suspicious-looking.

Nvidia has a list of affected products plus the updated driver version numbers you want, as well as instructions on how to figure out which versions of its driver software are installed already.

By the way, if you were wondering where the missing bug number CVE-2021-1079 went from the sequences listed above, the answer is that it was allocated to a flaw in the Nvidia GeForce Experience software, not in any bugs in GPU drivers or vGPU packages.

If you use GeForce Experience, the bug that was patched could lead to code execution or to elevation of privilege, so you need to patch that software too, as explained in a separate Nvidia security bulletin.


News URL

https://nakedsecurity.sophos.com/2021/04/28/gamers-update-nvidia-patches-gpu-driver-kernel-escalation-bugs/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-04-29 CVE-2021-1080 Improper Input Validation vulnerability in Nvidia Virtual GPU Manager
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), in which certain input data is not validated, which may lead to information disclosure, tampering of data, or denial of service.
local
low complexity
nvidia CWE-20
7.8
2021-04-29 CVE-2021-1087 Unspecified vulnerability in Nvidia Virtual GPU Manager
NVIDIA vGPU driver contains a vulnerability in the Virtual GPU Manager (vGPU plugin), which could allow an attacker to retrieve information that could lead to a Address Space Layout Randomization (ASLR) bypass.
local
low complexity
nvidia
5.5
2021-04-21 CVE-2021-1074 Unspecified vulnerability in Nvidia GPU Display Driver
NVIDIA GPU Display Driver for Windows installer contains a vulnerability where an attacker with local unprivileged system access may be able to replace an application resource with malicious files.
local
low complexity
nvidia
7.3
2021-04-21 CVE-2021-1078 NULL Pointer Dereference vulnerability in Nvidia GPU Display Driver
NVIDIA Windows GPU Display Driver for Windows, all versions, contains a vulnerability in the kernel driver (nvlddmkm.sys) where a NULL pointer dereference may lead to system crash.
local
low complexity
nvidia CWE-476
5.5
2021-04-20 CVE-2021-1079 Unspecified vulnerability in Nvidia Geforce Experience
NVIDIA GeForce Experience, all versions prior to 3.22, contains a vulnerability in GameStream plugins where log files are created using NT/System level permissions, which may lead to code execution, denial of service, or local privilege escalation.
local
low complexity
nvidia
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Nvidia 239 12 178 319 15 524
Kernel 3 0 7 4 1 12