Vulnerabilities > CVE-2015-7869 - Numeric Errors vulnerability in multiple products
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
PARTIAL Availability impact
COMPLETE Summary
Multiple integer overflows in the kernel mode driver for the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows and R304 before 304.131, R340 before 340.96, R352 before 352.63, and R358 before 358.16 on Linux allow local users to obtain sensitive information, cause a denial of service (crash), or possibly gain privileges via unknown vectors, which trigger uninitialized or out of bounds memory access. NOTE: this identifier has been SPLIT per ADT2 and ADT3 due to different vulnerability type and affected versions. See CVE-2015-8328 for the vulnerability in the NVAPI support layer in NVIDIA drivers for Windows.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2814-1.NASL description It was discovered that the NVIDIA graphics drivers incorrectly sanitized user mode inputs. A local attacker could use this issue to possibly gain root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86944 published 2015-11-19 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86944 title Ubuntu 12.04 LTS / 14.04 / 15.04 / 15.10 : nvidia-graphics-drivers vulnerability (USN-2814-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2814-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(86944); script_version("2.11"); script_cvs_date("Date: 2019/09/18 12:31:45"); script_cve_id("CVE-2015-7869"); script_xref(name:"USN", value:"2814-1"); script_name(english:"Ubuntu 12.04 LTS / 14.04 / 15.04 / 15.10 : nvidia-graphics-drivers vulnerability (USN-2814-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "It was discovered that the NVIDIA graphics drivers incorrectly sanitized user mode inputs. A local attacker could use this issue to possibly gain root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2814-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-304"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-304-updates"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-331"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-331-updates"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-340"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-340-updates"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-346"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-346-updates"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-352"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nvidia-352-updates"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/11/24"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04|14\.04|15\.04|15\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04 / 14.04 / 15.04 / 15.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"nvidia-304", pkgver:"304.131-0ubuntu0.12.04.1")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"nvidia-304-updates", pkgver:"304.131-0ubuntu0.12.04.1")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"nvidia-331-updates", pkgver:"340.96-0ubuntu0.12.04.1")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"nvidia-340", pkgver:"340.96-0ubuntu0.12.04.1")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"nvidia-340-updates", pkgver:"340.96-0ubuntu0.12.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nvidia-304", pkgver:"304.131-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nvidia-304-updates", pkgver:"304.131-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nvidia-331", pkgver:"340.96-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nvidia-331-updates", pkgver:"340.96-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nvidia-340", pkgver:"340.96-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nvidia-340-updates", pkgver:"340.96-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nvidia-346", pkgver:"352.63-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nvidia-346-updates", pkgver:"352.63-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nvidia-352", pkgver:"352.63-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"14.04", pkgname:"nvidia-352-updates", pkgver:"352.63-0ubuntu0.14.04.1")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"nvidia-304", pkgver:"304.131-0ubuntu0.15.04.1")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"nvidia-304-updates", pkgver:"304.131-0ubuntu0.15.04.1")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"nvidia-331", pkgver:"340.96-0ubuntu0.15.04.1")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"nvidia-331-updates", pkgver:"340.96-0ubuntu0.15.04.1")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"nvidia-340", pkgver:"340.96-0ubuntu0.15.04.1")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"nvidia-340-updates", pkgver:"340.96-0ubuntu0.15.04.1")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"nvidia-346", pkgver:"352.63-0ubuntu0.15.04.1")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"nvidia-346-updates", pkgver:"352.63-0ubuntu0.15.04.1")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"nvidia-352", pkgver:"352.63-0ubuntu0.15.04.1")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"nvidia-352-updates", pkgver:"352.63-0ubuntu0.15.04.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nvidia-304", pkgver:"304.131-0ubuntu0.15.10.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nvidia-304-updates", pkgver:"304.131-0ubuntu0.15.10.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nvidia-331", pkgver:"340.96-0ubuntu0.15.10.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nvidia-331-updates", pkgver:"340.96-0ubuntu0.15.10.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nvidia-340", pkgver:"340.96-0ubuntu0.15.10.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nvidia-340-updates", pkgver:"340.96-0ubuntu0.15.10.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nvidia-346", pkgver:"352.63-0ubuntu0.15.10.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nvidia-346-updates", pkgver:"352.63-0ubuntu0.15.10.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nvidia-352", pkgver:"352.63-0ubuntu0.15.10.1")) flag++; if (ubuntu_check(osver:"15.10", pkgname:"nvidia-352-updates", pkgver:"352.63-0ubuntu0.15.10.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nvidia-304 / nvidia-304-updates / nvidia-331 / nvidia-331-updates / etc"); }NASL family Misc. NASL id NVIDIA_UNIX_CVE_2015_7869.NASL description The NVIDIA graphics driver installed on the remote host is affected by a privilege escalation vulnerability in the NVAPI support layer due to multiple unspecified integer overflow conditions in the underlying kernel mode driver. A local attacker can exploit this to gain access to uninitialized or out-of-bounds memory, resulting in possible information disclosure, denial of service, or the gaining of elevated privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 87411 published 2015-12-16 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/87411 title NVIDIA Graphics Driver NVAPI Support Layer Integer Overflow Privilege Escalation (Unix / Linux) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(87411); script_version("1.7"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2015-7869"); script_name(english:"NVIDIA Graphics Driver NVAPI Support Layer Integer Overflow Privilege Escalation (Unix / Linux)"); script_summary(english:"Checks the driver version."); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by a privilege escalation vulnerability."); script_set_attribute(attribute:"description", value: "The NVIDIA graphics driver installed on the remote host is affected by a privilege escalation vulnerability in the NVAPI support layer due to multiple unspecified integer overflow conditions in the underlying kernel mode driver. A local attacker can exploit this to gain access to uninitialized or out-of-bounds memory, resulting in possible information disclosure, denial of service, or the gaining of elevated privileges."); # https://packetstormsecurity.com/files/134428/Ubuntu-Security-Notice-USN-2814-1.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a143cf56"); script_set_attribute(attribute:"see_also", value:"https://nvidia.custhelp.com/app/answers/detail/a_id/3808"); script_set_attribute(attribute:"solution", value: "Upgrade to the appropriate video driver version according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/11/13"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/16"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:nvidia:gpu_driver"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("nvidia_unix_driver_detect.nbin"); script_require_keys("NVIDIA_UNIX_Driver/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("NVIDIA_UNIX_Driver/Version"); fix = NULL; extra = ''; if (version =~ "^358\." && ver_compare(ver:version, fix:"358.16", strict:FALSE) == -1) fix = "358.16"; else if (version =~ "^352\." && ver_compare(ver:version, fix:"352.63", strict:FALSE) == -1) fix = "352.63"; else if (version =~ "^340\." && ver_compare(ver:version, fix:"340.96", strict:FALSE) == -1) fix = "340.96"; else if (version =~ "^304\." && ver_compare(ver:version, fix:"304.131", strict:FALSE) == -1) fix = "304.131"; if(!fix) audit(AUDIT_INST_VER_NOT_VULN, "NVIDIA UNIX Driver", version); else if (report_verbosity > 0) { report = '\n Installed driver version : ' + version + '\n Fixed driver version : ' + fix + '\n' + extra; security_warning(port:0, extra:report); } else security_warning(0);NASL family Windows NASL id NVIDIA_WIN_CVE_2015_8328.NASL description The version of the NVIDIA graphics driver installed on the remote Windows host is 340.x prior to 341.92, 352.x prior to 354.35, or 358.x prior to 358.87. It is, therefore, affected by multiple vulnerabilities : - A privilege escalation vulnerability exists in the Stereoscopic 3D Driver Service due to improper restriction of access to the last seen 2020-06-01 modified 2020-06-02 plugin id 87412 published 2015-12-16 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/87412 title NVIDIA Graphics Driver 340.x < 341.92 / 352.x < 354.35 / 358.x < 358.87 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(87412); script_version("1.9"); script_cvs_date("Date: 2018/07/16 14:09:15"); script_cve_id( "CVE-2015-7865", "CVE-2015-7866", "CVE-2015-7869", "CVE-2015-8328" ); script_bugtraq_id(83873); script_xref(name:"EDB-ID", value:"38792"); script_name(english:"NVIDIA Graphics Driver 340.x < 341.92 / 352.x < 354.35 / 358.x < 358.87 Multiple Vulnerabilities"); script_summary(english:"Checks the driver version."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of the NVIDIA graphics driver installed on the remote Windows host is 340.x prior to 341.92, 352.x prior to 354.35, or 358.x prior to 358.87. It is, therefore, affected by multiple vulnerabilities : - A privilege escalation vulnerability exists in the Stereoscopic 3D Driver Service due to improper restriction of access to the 'stereosvrpipe' named pipe. An adjacent attacker can exploit this to execute arbitrary command line arguments, resulting in an escalation of privileges. (CVE-2015-7865) - A privilege escalation vulnerability exists due to an unquoted Windows search path issue in the Smart Maximize Helper (nvSmartMaxApp.exe). A local attacker can exploit this to escalate privileges. (CVE-2015-7866) - Multiple privilege escalation vulnerabilities exist in the NVAPI support layer due to multiple unspecified integer overflow conditions in the underlying kernel mode driver. A local attacker can exploit these issues to gain access to uninitialized or out-of-bounds memory, resulting in an escalation of privileges. (CVE-2015-7869, CVE-2015-8328)"); script_set_attribute(attribute:"see_also", value:"https://nvidia.custhelp.com/app/answers/detail/a_id/3806"); script_set_attribute(attribute:"see_also", value:"https://nvidia.custhelp.com/app/answers/detail/a_id/3807"); script_set_attribute(attribute:"see_also", value:"https://nvidia.custhelp.com/app/answers/detail/a_id/3808"); script_set_attribute(attribute:"solution", value: "Upgrade to video driver version 341.92 / 354.35 / 358.87 or later."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date",value:"2015/11/13"); script_set_attribute(attribute:"patch_publication_date",value:"2015/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/16"); script_set_attribute(attribute:"plugin_type",value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/a:nvidia:gpu_driver"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("wmi_enum_display_drivers.nbin"); script_require_keys("WMI/DisplayDrivers/NVIDIA", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); kb_base = 'WMI/DisplayDrivers/'; # double check in case optimization is disabled kbs = get_kb_list(kb_base + '*/Name'); if (isnull(kbs)) exit(0, 'No display drivers were found.'); nvidia_found = FALSE; foreach name (kbs) if ("NVIDIA" >< name) nvidia_found = TRUE; if (!nvidia_found) exit(0, 'No NVIDIA display drivers were found.'); report = ''; foreach kb (keys(kbs)) { name = kbs[kb]; # only check NVIDIA drivers if ("NVIDIA" >!< name) continue; id = kb - kb_base - '/Name'; version = get_kb_item_or_exit(kb_base + id + '/Version'); driver_date = get_kb_item_or_exit(kb_base + id + '/DriverDate'); disp_driver_date = driver_date; # convert to something we can pass to ver_compare (YYYY.MM.DD) driver_date = split(driver_date, sep:'/', keep:FALSE); driver_date = driver_date[2] + '.' + driver_date[0] + '.' + driver_date[1]; fix = ''; # 358 Branch if (version =~ "^358\." && ver_compare(ver:version, fix:"358.87", strict:FALSE) == -1) fix = '358.87'; # 352 Branch if (version =~ "^35[2-4]\." && ver_compare(ver:version, fix:"354.35", strict:FALSE) == -1) fix = '354.35'; # 340 Branch if (version =~ "^34[01]." && ver_compare(ver:version, fix:"341.92", strict:FALSE) == -1) fix = '341.92'; if (fix != '') { report += '\n Device name : ' + name + '\n Driver version : ' + version + '\n Driver date : ' + disp_driver_date + '\n Fixed version : ' + fix + '\n'; } } if (report_paranoia < 2) audit(AUDIT_PARANOID); if (report != '') { if (report_verbosity > 0) security_hole(port:0, extra: report); else security_hole(0); } else exit(0, "No vulnerable NVIDIA display adapters were found.");