Vulnerabilities > CVE-2019-5666 - Improper Validation of Array Index vulnerability in Nvidia GPU Driver
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) create context command DDI DxgkDdiCreateContext in which the product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array, which may lead to denial of service or escalation of privileges.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Nessus
NASL family Windows NASL id NVIDIA_WIN_2019_05.NASL description The NVIDIA GPU display driver software on the remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities: - An unspecified vulnerability exists in the kernel mode layer (nvvlddmkm.sys) handler for DxgkDdiEscape due to improper synchronization of shared data. An authenticated, local attacker can exploit this, to cause a denial of service, gain elevated privileges or to disclose potentially sensitive information. (CVE-2019-5675) - A binary planting vulnerability exists due to improper path or signature validation. An authenticated, local attacker can exploit this, via code execution to gain elevated privileges. (CVE-2019-5676) - A memory corruption vulnerability exists in the kernel mode layer (nvlddmkm.sys) handler for DeviceIoControl. An authenticated, local attacker can exploit this, to cause a denial of service condition. (CVE-2019-5677) last seen 2020-04-30 modified 2019-06-19 plugin id 126049 published 2019-06-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126049 title NVIDIA Windows GPU Display Driver Multiple Vulnerabilities (May 2019) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(126049); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/29"); script_cve_id( "CVE-2019-5666", "CVE-2019-5675", "CVE-2019-5676", "CVE-2019-5677" ); script_name(english:"NVIDIA Windows GPU Display Driver Multiple Vulnerabilities (May 2019)"); script_summary(english:"Checks the driver version."); script_set_attribute(attribute:"synopsis", value: "A display driver installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The NVIDIA GPU display driver software on the remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities: - An unspecified vulnerability exists in the kernel mode layer (nvvlddmkm.sys) handler for DxgkDdiEscape due to improper synchronization of shared data. An authenticated, local attacker can exploit this, to cause a denial of service, gain elevated privileges or to disclose potentially sensitive information. (CVE-2019-5675) - A binary planting vulnerability exists due to improper path or signature validation. An authenticated, local attacker can exploit this, via code execution to gain elevated privileges. (CVE-2019-5676) - A memory corruption vulnerability exists in the kernel mode layer (nvlddmkm.sys) handler for DeviceIoControl. An authenticated, local attacker can exploit this, to cause a denial of service condition. (CVE-2019-5677)"); # https://nvidia.custhelp.com/app/answers/detail/a_id/4797 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9fd89bc5"); script_set_attribute(attribute:"solution", value: "Upgrade the NVIDIA graphics driver in accordance with the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5676"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/09"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/19"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:nvidia:gpu_driver"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("wmi_enum_display_drivers.nbin"); script_require_keys("WMI/DisplayDrivers/NVIDIA", "Settings/ParanoidReport"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); app_name = 'NVIDIA Driver'; # it is not possible to tell if these are vendor provided drivers or from the NVIDIA website # some vendor provided version come with a fix (i.e. 430.23, 425.25, and 422.02) if (report_paranoia < 2) audit(AUDIT_PARANOID); kb_base = 'WMI/DisplayDrivers/'; # double check in case optimization is disabled kbs = get_kb_list(kb_base + '*/Name'); if (isnull(kbs)) exit(0, 'No display drivers were found.'); foreach kb (keys(kbs)) { name = tolower(kbs[kb]); if ('nvidia' >!< name) continue; id = kb - kb_base - '/Name'; version = get_kb_item_or_exit(kb_base + id + '/Version'); gpumodel = tolower(get_kb_item_or_exit(kb_base + id + '/Processor')); break; } fix = NULL; # Geforce or Quadro NVS # All R430 versions prior to 430.64 if (gpumodel =~ "geforce|quadro|nvs" && version =~ "^430\.") fix = '430.64'; # Quadro NVS if (gpumodel =~ "quadro|nvs") { # All R418 versions prior to 425.51 if (version =~ "^4(1[89]|2[0-5])\.") fix = '425.51'; # All R410 versions prior to 412.36 else if (version =~ "^41[0-2]\.") fix = '412.36'; # All R390 versions prior to 392.53 else if (version =~ "^39[0-2]\.") fix = '392.53'; } # Tesla if (gpumodel =~ "tesla") { # All R418 versions prior to 425.25 if (version =~ "^4(1[89]|2[0-5])\.") fix = '425.25'; # All R410 versions prior to 412.36 else if (version =~ "^41[0-2]\.") fix = '412.36'; } if (isnull(fix)) audit(AUDIT_INST_VER_NOT_VULN, app_name, version); if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1) { report = '\n Installed driver version : ' + version + '\n Fixed driver version : ' + fix + '\n'; security_report_v4(severity:SECURITY_HOLE, port:0, extra: report); } else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);
NASL family Windows NASL id NVIDIA_WIN_2019_02.NASL description The NVIDIA GPU display driver software on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities: - A vulnerability in the 3D vision component in which the stereo service software, when opening a file, does not check for hard links. This behavior may lead to code execution, denial of service or escalation of privileges. (CVE-2019-5665) - A vulnerability in the kernel mode layer (nvlddmkm.sys) create context command DDI DxgkDdiCreateContext in which the product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array, which may lead to denial of service or escalation of privileges. (CVE-2019-5666) - A vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSetRootPageTable in which the application dereferences a pointer that it expects to be valid, but is NULL, which may lead to code execution, denial of service or escalation of privileges. (CVE-2019-5667) It is also affected by additional vulnerabilities including denial of service, privilege escalation, code execution, and information disclosure vulnerabilities. See the vendor advisory for details. last seen 2020-06-01 modified 2020-06-02 plugin id 122510 published 2019-03-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122510 title NVIDIA Windows GPU Display Driver Multiple Vulnerabilities (February 2019) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(122510); script_version("1.2"); script_cvs_date("Date: 2019/10/31 15:18:51"); script_cve_id( "CVE-2018-6260", "CVE-2019-5665", "CVE-2019-5666", "CVE-2019-5667", "CVE-2019-5668", "CVE-2019-5669", "CVE-2019-5670", "CVE-2019-5671" ); script_xref(name:"IAVA", value:"2019-A-0063"); script_name(english:"NVIDIA Windows GPU Display Driver Multiple Vulnerabilities (February 2019)"); script_summary(english:"Checks the driver version."); script_set_attribute(attribute:"synopsis", value: "A display driver installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The NVIDIA GPU display driver software on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities: - A vulnerability in the 3D vision component in which the stereo service software, when opening a file, does not check for hard links. This behavior may lead to code execution, denial of service or escalation of privileges. (CVE-2019-5665) - A vulnerability in the kernel mode layer (nvlddmkm.sys) create context command DDI DxgkDdiCreateContext in which the product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array, which may lead to denial of service or escalation of privileges. (CVE-2019-5666) - A vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSetRootPageTable in which the application dereferences a pointer that it expects to be valid, but is NULL, which may lead to code execution, denial of service or escalation of privileges. (CVE-2019-5667) It is also affected by additional vulnerabilities including denial of service, privilege escalation, code execution, and information disclosure vulnerabilities. See the vendor advisory for details."); script_set_attribute(attribute:"see_also", value:"https://nvidia.custhelp.com/app/answers/detail/a_id/4772"); script_set_attribute(attribute:"solution", value: "Upgrade the NVIDIA graphics driver in accordance with the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5665"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/13"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/01"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:nvidia:gpu_driver"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("wmi_enum_display_drivers.nbin"); script_require_keys("WMI/DisplayDrivers/NVIDIA", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); kb_base = 'WMI/DisplayDrivers/'; # double check in case optimization is disabled kbs = get_kb_list(kb_base + '*/Name'); if (isnull(kbs)) exit(0, 'No display drivers were found.'); report = ''; foreach kb (keys(kbs)) { name = kbs[kb]; # only check NVIDIA drivers if ("NVIDIA" >!< name) continue; nvidia_found = TRUE; id = kb - kb_base - '/Name'; version = get_kb_item_or_exit(kb_base + id + '/Version'); driver_date = get_kb_item_or_exit(kb_base + id + '/DriverDate'); disp_driver_date = driver_date; # convert to something we can pass to ver_compare (YYYY.MM.DD) driver_date = split(driver_date, sep:'/', keep:FALSE); driver_date = driver_date[2] + '.' + driver_date[0] + '.' + driver_date[1]; fix = NULL; # All R418 versions prior to 419.17 if (version =~ "^41[89]\." && ver_compare(ver:version, fix:"419.17", strict:FALSE) == -1) fix = "419.17"; # All R400 versions prior to 412.29 else if (version =~ "^4(0[0-9]|1[0-2])\." && ver_compare(ver:version, fix:"412.29", strict:FALSE) == -1) fix = "412.29"; # All R390 versions prior to 392.37 else if (version =~ "^39[0-2]\." && ver_compare(ver:version, fix:"392.37", strict:FALSE) == -1) fix = "392.37"; if(!isnull(fix)) { order = make_list('Device name','Driver version','Driver date','Fixed version'); report = make_array( order[0],name, order[1],version, order[2],disp_driver_date, order[3],fix ); report = report_items_str(report_items:report, ordered_fields:order); security_report_v4(severity:SECURITY_HOLE, port:0, extra:report); exit(0); } else { exit(0, "No vulnerable NVIDIA display drivers were found."); } } exit(0, 'No NVIDIA display drivers were found.');
References
- http://support.lenovo.com/us/en/solutions/LEN-26250
- http://support.lenovo.com/us/en/solutions/LEN-26250
- https://nvidia.custhelp.com/app/answers/detail/a_id/4772
- https://nvidia.custhelp.com/app/answers/detail/a_id/4772
- https://nvidia.custhelp.com/app/answers/detail/a_id/4797
- https://nvidia.custhelp.com/app/answers/detail/a_id/4797