Vulnerabilities > CVE-2016-3161 - Local Privilege Escalation and Denial of Service vulnerability in Multiple NVIDIA Products

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

nvidia

nessus

NVD

Published: 2016-11-08

Updated: 2016-12-15

Summary

For the NVIDIA Quadro, NVS, and GeForce products, GFE GameStream and NVTray Plugin unquoted service path vulnerabilities are examples of the unquoted service path vulnerability in Windows. A successful exploit of a vulnerable service installation can enable malicious code to execute on the system at the system/user privilege level. The CVE-2016-3161 ID is for the GameStream unquoted service path. <a href="http://cwe.mitre.org/data/definitions/428.html">CWE-428: Unquoted Search Path or Element</a>

Vulnerable Configurations

Part	Description	Count
Application	Nvidia Nvidia Geforce Experience *	1
Hardware	Nvidia Nvidia Geforce 910M - Nvidia Geforce 920M - Nvidia Geforce 920Mx - Nvidia Geforce 930M - Nvidia Geforce 930Mx - Nvidia Geforce 940M - Nvidia Geforce 940Mx - Nvidia Geforce 945M - Nvidia Geforce GT 710 - Nvidia Geforce GT 730 - Nvidia Geforce GTX 1050 - Nvidia Geforce GTX 1060 - Nvidia Geforce GTX 1070 - Nvidia Geforce GTX 1080 - Nvidia Geforce GTX 950M - Nvidia Geforce GTX 960M - Nvidia Geforce GTX 965M - Nvidia NVS 310 - Nvidia NVS 315 - Nvidia NVS 510 - Nvidia NVS 810 - Nvidia Quadro K1200 - Nvidia Quadro K420 - Nvidia Quadro K620 - Nvidia Quadro M1000M - Nvidia Quadro M2000 - Nvidia Quadro M2000M - Nvidia Quadro M3000M - Nvidia Quadro M4000 - Nvidia Quadro M4000M - Nvidia Quadro M5000 - Nvidia Quadro M5000M - Nvidia Quadro M500M - Nvidia Quadro M5500 - Nvidia Quadro M6000 - Nvidia Quadro M600M - Nvidia Quadro P5000 - Nvidia Quadro P6000 - Nvidia Titan X -	39

Nessus

NASL family	Windows
NASL id	NVIDIA_WIN_CVE_2016_4959.NASL
description	The version of the NVIDIA graphics driver installed on the remote Windows host is 340.x prior to 341.96, 352.x prior to 354.99, 361.x prior to 362.77, or 367.x prior to 368.39. It is, therefore, affected by multiple vulnerabilities : - A privilege escalation vulnerability exists in GFE GameStream due to an unquoted search path. A local attacker can exploit this, via a malicious executable in the root path, to elevate privileges. (CVE-2016-3161) - A denial of service vulnerability exists due to a NULL pointer dereference flaw. An unauthenticated, remote attacker can exploit this to cause a crash. (CVE-2016-4959) - A privilege escalation vulnerability exists in the NVStreamKMS.sys driver due to improper sanitization of user-supplied data passed via API entry points. A local attacker can exploit this to gain elevated privileges. (CVE-2016-4960) - A denial of service vulnerability exists in the NVStreamKMS.sys driver due to improper handling of parameters. An unauthenticated, remote attacker can exploit this to cause a crash. (CVE-2016-4961) - A denial of service vulnerability exists in the NVAPI support layer due to improper sanitization of parameters. An unauthenticated, remote attacker can exploit this to cause a crash. (CVE-2016-5025) - A privilege escalation vulnerability exists in the NVTray plugin due to an unquoted search path. A local attacker can exploit this, via a malicious executable in the root path, to elevate privileges. (CVE-2016-5852) Note that CVE-2016-3161, CVE-2016-4960, CVE-2016-4961, and CVE-2016-5852 only affect systems which also have GeForce Experience software installed.
last seen	2020-06-01
modified	2020-06-02
plugin id	93912
published	2016-10-07
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93912
title	NVIDIA Graphics Driver 340.x < 341.96 / 352.x < 354.99 / 361.x < 362.77 / 367.x < 368.39 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(93912); script_version("1.7"); script_cvs_date("Date: 2019/11/14"); script_cve_id( "CVE-2016-3161", "CVE-2016-4959", "CVE-2016-4960", "CVE-2016-4961", "CVE-2016-5025", "CVE-2016-5852" ); script_name(english:"NVIDIA Graphics Driver 340.x < 341.96 / 352.x < 354.99 / 361.x < 362.77 / 367.x < 368.39 Multiple Vulnerabilities"); script_summary(english:"Checks the driver version."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of the NVIDIA graphics driver installed on the remote Windows host is 340.x prior to 341.96, 352.x prior to 354.99, 361.x prior to 362.77, or 367.x prior to 368.39. It is, therefore, affected by multiple vulnerabilities : - A privilege escalation vulnerability exists in GFE GameStream due to an unquoted search path. A local attacker can exploit this, via a malicious executable in the root path, to elevate privileges. (CVE-2016-3161) - A denial of service vulnerability exists due to a NULL pointer dereference flaw. An unauthenticated, remote attacker can exploit this to cause a crash. (CVE-2016-4959) - A privilege escalation vulnerability exists in the NVStreamKMS.sys driver due to improper sanitization of user-supplied data passed via API entry points. A local attacker can exploit this to gain elevated privileges. (CVE-2016-4960) - A denial of service vulnerability exists in the NVStreamKMS.sys driver due to improper handling of parameters. An unauthenticated, remote attacker can exploit this to cause a crash. (CVE-2016-4961) - A denial of service vulnerability exists in the NVAPI support layer due to improper sanitization of parameters. An unauthenticated, remote attacker can exploit this to cause a crash. (CVE-2016-5025) - A privilege escalation vulnerability exists in the NVTray plugin due to an unquoted search path. A local attacker can exploit this, via a malicious executable in the root path, to elevate privileges. (CVE-2016-5852) Note that CVE-2016-3161, CVE-2016-4960, CVE-2016-4961, and CVE-2016-5852 only affect systems which also have GeForce Experience software installed."); script_set_attribute(attribute:"see_also", value:"https://nvidia.custhelp.com/app/answers/detail/a_id/4213"); script_set_attribute(attribute:"solution", value: "Upgrade the NVIDIA graphics driver to version 341.96 / 354.99 / 362.77 / 368.39 or later. Alternatively, for CVE-2016-4959, apply the mitigation referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5852"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/08/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/07"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:nvidia:gpu_driver"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("wmi_enum_display_drivers.nbin"); script_require_keys("WMI/DisplayDrivers/NVIDIA", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); kb_base = 'WMI/DisplayDrivers/'; # double check in case optimization is disabled kbs = get_kb_list(kb_base + '*/Name'); if (isnull(kbs)) exit(0, 'No display drivers were found.'); nvidia_found = FALSE; foreach name (kbs) if ("NVIDIA" >< name) nvidia_found = TRUE; if (!nvidia_found) exit(0, 'No NVIDIA display drivers were found.'); report = ''; foreach kb (keys(kbs)) { name = kbs[kb]; # only check NVIDIA drivers if ("NVIDIA" >!< name) continue; id = kb - kb_base - '/Name'; version = get_kb_item_or_exit(kb_base + id + '/Version'); driver_date = get_kb_item_or_exit(kb_base + id + '/DriverDate'); disp_driver_date = driver_date; # convert to something we can pass to ver_compare (YYYY.MM.DD) driver_date = split(driver_date, sep:'/', keep:FALSE); driver_date = driver_date[2] + '.' + driver_date[0] + '.' + driver_date[1]; fix = ''; # 367 Branch if (version =~ "^36[78]\." && ver_compare(ver:version, fix:"368.39", strict:FALSE) == -1) fix = '368.39'; # 361 Branch if (version =~ "^36[12]\." && ver_compare(ver:version, fix:"362.77", strict:FALSE) == -1) fix = '362.77'; # 352 Branch if (version =~ "^35[2-4]\." && ver_compare(ver:version, fix:"354.99", strict:FALSE) == -1) fix = '354.99'; # 340 Branch if (version =~ "^34[01]\." && ver_compare(ver:version, fix:"341.96", strict:FALSE) == -1) fix = '341.96'; if (fix != '') { order = make_list('Device name','Driver version','Driver date','Fixed version'); report = make_array( order[0],name, order[1],version, order[2],disp_driver_date, order[3],fix ); report = report_items_str(report_items:report, ordered_fields:order); } } if (report != '') { security_report_v4(severity:SECURITY_HOLE, port:0, extra: report); } else exit(0, "No vulnerable NVIDIA display adapters were found.");

Summary

Vulnerable Configurations

Nessus

References