Vulnerabilities > CVE-2019-5677 - Out-of-bounds Read vulnerability in Nvidia GPU Driver

CVSS 4.9 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

local

low complexity

nvidia

CWE-125

nessus

NVD

Published: 2019-05-10

Updated: 2020-08-24

Summary

NVIDIA Windows GPU Display driver software for Windows (all versions) contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DeviceIoControl where the software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer, which may lead to denial of service.

Vulnerable Configurations

Part	Description	Count
Application	Nvidia Nvidia GPU Driver *	1

Common Weakness Enumeration (CWE)

CWE-125 - Out-of-bounds Read

Common Attack Pattern Enumeration and Classification (CAPEC)

Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

NASL family	Windows
NASL id	NVIDIA_WIN_2019_05.NASL
description	The NVIDIA GPU display driver software on the remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities: - An unspecified vulnerability exists in the kernel mode layer (nvvlddmkm.sys) handler for DxgkDdiEscape due to improper synchronization of shared data. An authenticated, local attacker can exploit this, to cause a denial of service, gain elevated privileges or to disclose potentially sensitive information. (CVE-2019-5675) - A binary planting vulnerability exists due to improper path or signature validation. An authenticated, local attacker can exploit this, via code execution to gain elevated privileges. (CVE-2019-5676) - A memory corruption vulnerability exists in the kernel mode layer (nvlddmkm.sys) handler for DeviceIoControl. An authenticated, local attacker can exploit this, to cause a denial of service condition. (CVE-2019-5677)
last seen	2020-04-30
modified	2019-06-19
plugin id	126049
published	2019-06-19
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/126049
title	NVIDIA Windows GPU Display Driver Multiple Vulnerabilities (May 2019)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(126049); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/29"); script_cve_id( "CVE-2019-5666", "CVE-2019-5675", "CVE-2019-5676", "CVE-2019-5677" ); script_name(english:"NVIDIA Windows GPU Display Driver Multiple Vulnerabilities (May 2019)"); script_summary(english:"Checks the driver version."); script_set_attribute(attribute:"synopsis", value: "A display driver installed on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The NVIDIA GPU display driver software on the remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities: - An unspecified vulnerability exists in the kernel mode layer (nvvlddmkm.sys) handler for DxgkDdiEscape due to improper synchronization of shared data. An authenticated, local attacker can exploit this, to cause a denial of service, gain elevated privileges or to disclose potentially sensitive information. (CVE-2019-5675) - A binary planting vulnerability exists due to improper path or signature validation. An authenticated, local attacker can exploit this, via code execution to gain elevated privileges. (CVE-2019-5676) - A memory corruption vulnerability exists in the kernel mode layer (nvlddmkm.sys) handler for DeviceIoControl. An authenticated, local attacker can exploit this, to cause a denial of service condition. (CVE-2019-5677)"); # https://nvidia.custhelp.com/app/answers/detail/a_id/4797 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9fd89bc5"); script_set_attribute(attribute:"solution", value: "Upgrade the NVIDIA graphics driver in accordance with the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5676"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/09"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/19"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:nvidia:gpu_driver"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("wmi_enum_display_drivers.nbin"); script_require_keys("WMI/DisplayDrivers/NVIDIA", "Settings/ParanoidReport"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); app_name = 'NVIDIA Driver'; # it is not possible to tell if these are vendor provided drivers or from the NVIDIA website # some vendor provided version come with a fix (i.e. 430.23, 425.25, and 422.02) if (report_paranoia < 2) audit(AUDIT_PARANOID); kb_base = 'WMI/DisplayDrivers/'; # double check in case optimization is disabled kbs = get_kb_list(kb_base + '*/Name'); if (isnull(kbs)) exit(0, 'No display drivers were found.'); foreach kb (keys(kbs)) { name = tolower(kbs[kb]); if ('nvidia' >!< name) continue; id = kb - kb_base - '/Name'; version = get_kb_item_or_exit(kb_base + id + '/Version'); gpumodel = tolower(get_kb_item_or_exit(kb_base + id + '/Processor')); break; } fix = NULL; # Geforce or Quadro NVS # All R430 versions prior to 430.64 if (gpumodel =~ "geforce\|quadro\|nvs" && version =~ "^430\.") fix = '430.64'; # Quadro NVS if (gpumodel =~ "quadro\|nvs") { # All R418 versions prior to 425.51 if (version =~ "^4(1[89]\|2[0-5])\.") fix = '425.51'; # All R410 versions prior to 412.36 else if (version =~ "^41[0-2]\.") fix = '412.36'; # All R390 versions prior to 392.53 else if (version =~ "^39[0-2]\.") fix = '392.53'; } # Tesla if (gpumodel =~ "tesla") { # All R418 versions prior to 425.25 if (version =~ "^4(1[89]\|2[0-5])\.") fix = '425.25'; # All R410 versions prior to 412.36 else if (version =~ "^41[0-2]\.") fix = '412.36'; } if (isnull(fix)) audit(AUDIT_INST_VER_NOT_VULN, app_name, version); if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1) { report = '\n Installed driver version : ' + version + '\n Fixed driver version : ' + fix + '\n'; security_report_v4(severity:SECURITY_HOLE, port:0, extra: report); } else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

References

https://nvidia.custhelp.com/app/answers/detail/a_id/4797