Vulnerabilities > CVE-2018-6260 - Information Exposure vulnerability in Nvidia GPU Driver
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
NVIDIA graphics driver contains a vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. Local user access is required. This is not a network or remote attack vector.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Misc. NASL id NVIDIA_UNIX_2019_02.NASL description The NVIDIA GPU display driver software on the remote host is missing a security update. It is, therefore, affected by a local information disclosure vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 122509 published 2019-03-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122509 title NVIDIA Linux GPU Display Driver Information Disclosure Vulnerability (CVE-2018-6260) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(122509); script_version("1.2"); script_cvs_date("Date: 2019/10/31 15:18:51"); script_cve_id("CVE-2018-6260"); script_xref(name:"IAVA", value:"2019-A-0063"); script_name(english:"NVIDIA Linux GPU Display Driver Information Disclosure Vulnerability (CVE-2018-6260)"); script_summary(english:"Checks the driver version."); script_set_attribute(attribute:"synopsis", value: "A display driver installed on the remote Linux host is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The NVIDIA GPU display driver software on the remote host is missing a security update. It is, therefore, affected by a local information disclosure vulnerability."); script_set_attribute(attribute:"see_also", value:"https://nvidia.custhelp.com/app/answers/detail/a_id/4772"); script_set_attribute(attribute:"solution", value: "Upgrade the NVIDIA graphics driver in accordance with the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-6260"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/13"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:nvidia:gpu_driver"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("nvidia_unix_driver_detect.nbin"); script_require_keys("NVIDIA_UNIX_Driver/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("NVIDIA_UNIX_Driver/Version"); gpumodel = get_kb_item_or_exit("NVIDIA_UNIX_Driver/GPU_Model"); fix = NULL; if (gpumodel =~ 'GeForce|Quadro|NVS') { # All R418 versions prior to 418.43 if (version =~ "^418\.") fix = "418.43"; # All R400 versions prior to 410.104 else if (version =~ "^4(0[0-9]|10)\.") fix = "410.104"; # All R390 versions prior to 390.116 else if (version =~ "^390\.") fix = "390.116"; } else if (gpumodel =~ 'Tesla') { # All R418 versions prior to 418.39 if (version =~ "^418\.") fix = "418.39"; # All R400 versions prior to 410.104 else if (version =~ "^4(0[0-9]|10)\.") fix = "410.104"; # All R396 versions prior to 396.82 else if (version =~ "^396\.") fix = "396.82"; # All R390 versions prior to 390.116 else if (version =~ "^390\.") fix = "390.116"; # All R384 versions prior to 384.183 else if (version =~ "^384\.") fix = "384.183"; } if (isnull(fix)) audit(AUDIT_INST_VER_NOT_VULN, "NVIDIA UNIX Driver", version); if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1) { report = '\n Installed driver version : ' + version + '\n Fixed driver version : ' + fix; security_report_v4(severity:SECURITY_NOTE, port:0, extra: report); } else audit(AUDIT_INST_VER_NOT_VULN, "NVIDIA UNIX Driver", version);
NASL family Windows NASL id NVIDIA_WIN_2019_02.NASL description The NVIDIA GPU display driver software on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities: - A vulnerability in the 3D vision component in which the stereo service software, when opening a file, does not check for hard links. This behavior may lead to code execution, denial of service or escalation of privileges. (CVE-2019-5665) - A vulnerability in the kernel mode layer (nvlddmkm.sys) create context command DDI DxgkDdiCreateContext in which the product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array, which may lead to denial of service or escalation of privileges. (CVE-2019-5666) - A vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSetRootPageTable in which the application dereferences a pointer that it expects to be valid, but is NULL, which may lead to code execution, denial of service or escalation of privileges. (CVE-2019-5667) It is also affected by additional vulnerabilities including denial of service, privilege escalation, code execution, and information disclosure vulnerabilities. See the vendor advisory for details. last seen 2020-06-01 modified 2020-06-02 plugin id 122510 published 2019-03-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122510 title NVIDIA Windows GPU Display Driver Multiple Vulnerabilities (February 2019) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(122510); script_version("1.2"); script_cvs_date("Date: 2019/10/31 15:18:51"); script_cve_id( "CVE-2018-6260", "CVE-2019-5665", "CVE-2019-5666", "CVE-2019-5667", "CVE-2019-5668", "CVE-2019-5669", "CVE-2019-5670", "CVE-2019-5671" ); script_xref(name:"IAVA", value:"2019-A-0063"); script_name(english:"NVIDIA Windows GPU Display Driver Multiple Vulnerabilities (February 2019)"); script_summary(english:"Checks the driver version."); script_set_attribute(attribute:"synopsis", value: "A display driver installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The NVIDIA GPU display driver software on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities: - A vulnerability in the 3D vision component in which the stereo service software, when opening a file, does not check for hard links. This behavior may lead to code execution, denial of service or escalation of privileges. (CVE-2019-5665) - A vulnerability in the kernel mode layer (nvlddmkm.sys) create context command DDI DxgkDdiCreateContext in which the product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array, which may lead to denial of service or escalation of privileges. (CVE-2019-5666) - A vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSetRootPageTable in which the application dereferences a pointer that it expects to be valid, but is NULL, which may lead to code execution, denial of service or escalation of privileges. (CVE-2019-5667) It is also affected by additional vulnerabilities including denial of service, privilege escalation, code execution, and information disclosure vulnerabilities. See the vendor advisory for details."); script_set_attribute(attribute:"see_also", value:"https://nvidia.custhelp.com/app/answers/detail/a_id/4772"); script_set_attribute(attribute:"solution", value: "Upgrade the NVIDIA graphics driver in accordance with the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5665"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/13"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/01"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:nvidia:gpu_driver"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("wmi_enum_display_drivers.nbin"); script_require_keys("WMI/DisplayDrivers/NVIDIA", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); kb_base = 'WMI/DisplayDrivers/'; # double check in case optimization is disabled kbs = get_kb_list(kb_base + '*/Name'); if (isnull(kbs)) exit(0, 'No display drivers were found.'); report = ''; foreach kb (keys(kbs)) { name = kbs[kb]; # only check NVIDIA drivers if ("NVIDIA" >!< name) continue; nvidia_found = TRUE; id = kb - kb_base - '/Name'; version = get_kb_item_or_exit(kb_base + id + '/Version'); driver_date = get_kb_item_or_exit(kb_base + id + '/DriverDate'); disp_driver_date = driver_date; # convert to something we can pass to ver_compare (YYYY.MM.DD) driver_date = split(driver_date, sep:'/', keep:FALSE); driver_date = driver_date[2] + '.' + driver_date[0] + '.' + driver_date[1]; fix = NULL; # All R418 versions prior to 419.17 if (version =~ "^41[89]\." && ver_compare(ver:version, fix:"419.17", strict:FALSE) == -1) fix = "419.17"; # All R400 versions prior to 412.29 else if (version =~ "^4(0[0-9]|1[0-2])\." && ver_compare(ver:version, fix:"412.29", strict:FALSE) == -1) fix = "412.29"; # All R390 versions prior to 392.37 else if (version =~ "^39[0-2]\." && ver_compare(ver:version, fix:"392.37", strict:FALSE) == -1) fix = "392.37"; if(!isnull(fix)) { order = make_list('Device name','Driver version','Driver date','Fixed version'); report = make_array( order[0],name, order[1],version, order[2],disp_driver_date, order[3],fix ); report = report_items_str(report_items:report, ordered_fields:order); security_report_v4(severity:SECURITY_HOLE, port:0, extra:report); exit(0); } else { exit(0, "No vulnerable NVIDIA display drivers were found."); } } exit(0, 'No NVIDIA display drivers were found.');
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2019-1182.NASL description NVIDIA graphics driver contains a vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. Local user access is required. This is not a network or remote attack vector. (CVE-2018-6260) last seen 2020-06-01 modified 2020-06-02 plugin id 123090 published 2019-03-26 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123090 title Amazon Linux AMI : nvidia (ALAS-2019-1182) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2019-1182. # include("compat.inc"); if (description) { script_id(123090); script_version("1.2"); script_cvs_date("Date: 2020/02/03"); script_cve_id("CVE-2018-6260"); script_xref(name:"ALAS", value:"2019-1182"); script_name(english:"Amazon Linux AMI : nvidia (ALAS-2019-1182)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "NVIDIA graphics driver contains a vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. Local user access is required. This is not a network or remote attack vector. (CVE-2018-6260)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2019-1182.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update nvidia' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nvidia"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:nvidia-dkms"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/13"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", cpu:"x86_64", reference:"nvidia-410.104-2018.03.111.amzn1")) flag++; if (rpm_check(release:"ALA", cpu:"x86_64", reference:"nvidia-dkms-410.104-2018.03.111.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nvidia / nvidia-dkms"); }
References
- http://support.lenovo.com/us/en/solutions/LEN-26250
- http://support.lenovo.com/us/en/solutions/LEN-26250
- https://nvidia.custhelp.com/app/answers/detail/a_id/4738
- https://nvidia.custhelp.com/app/answers/detail/a_id/4738
- https://nvidia.custhelp.com/app/answers/detail/a_id/4772
- https://nvidia.custhelp.com/app/answers/detail/a_id/4772
- https://usn.ubuntu.com/3904-1/
- https://usn.ubuntu.com/3904-1/