Vulnerabilities > CVE-2019-5684 - Out-of-bounds Write vulnerability in Nvidia GPU Driver

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
nvidia
microsoft
CWE-787
critical
nessus

Summary

NVIDIA Windows GPU Display Driver (all versions) contains a vulnerability in DirectX drivers, in which a specially crafted shader can cause an out of bounds access of an input texture array, which may lead to denial of service or code execution.

Vulnerable Configurations

Part Description Count
Application
Nvidia
1
OS
Microsoft
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMisc.
    NASL idVMWARE_ESXI_VMSA-2019-0012.NASL
    descriptionThe remote VMware ESXi host is version 6.5 or 6.7 and is affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id128035
    published2019-08-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128035
    titleESXi 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0012)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    include('compat.inc');
    
    if (description)
    {
      script_id(128035);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/17 14:31:04");
    
      script_cve_id("CVE-2019-5521", "CVE-2019-5684");
      script_bugtraq_id(93287);
      script_xref(name:"VMSA", value:"2019-0012");
      script_xref(name:"IAVA", value:"2019-A-0278");
    
      script_name(english:"ESXi 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0012)");
      script_summary(english:"Checks the ESXi version and build number.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote VMware ESXi host is missing a security patch and is affected by pixel shader out-of-bounds read/write vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote VMware ESXi host is version 6.5 or 6.7 and is affected by
    multiple vulnerabilities.  Note that Nessus has not tested for these
    issues but has instead relied only on the application's self-reported
    version number.");
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2019-0012.html");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch as referenced in the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-5684");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/20");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("vmware_vsphere_detect.nbin");
      script_require_keys("Host/VMware/version", "Host/VMware/release", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    fixes = make_array(
      '6.5', '13932383',
      '6.7', '13981272'
    );
    
    rel = get_kb_item_or_exit('Host/VMware/release');
    if ('ESXi' >!< rel) audit(AUDIT_OS_NOT, 'ESXi');
    
    ver = get_kb_item_or_exit('Host/VMware/version');
    
    match = pregmatch(pattern:'^ESXi? ([0-9]+\\.[0-9]+).*$', string:ver);
    if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.5 / 6.7');
    ver = match[1];
    
    if (ver !~ '^6\\.(5|7)$') audit(AUDIT_OS_NOT, 'ESXi 6.5 / 6.7');
    
    fixed_build = int(fixes[ver]);
    
    if (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);
    
    match = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);
    if (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.5 / 6.7');
    
    build = int(match[1]);
    
    if (!(build < fixed_build)) audit(AUDIT_INST_VER_NOT_VULN, 'VMware ESXi', ver + ' build ' + build);
    
    report = '\n  ESXi version    : ' + ver +
             '\n  Installed build : ' + build +
             '\n  Fixed build     : ' + fixed_build +
             '\n';
    
    security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);
    
  • NASL familyWindows
    NASL idVMWARE_WORKSTATION_WIN_VMSA_2019_0012.NASL
    descriptionThe version of VMware Workstation installed on the remote Windows host is 14.0.x prior to 14.1.6 or 15.0.x prior to 15.0.3. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127138
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127138
    titleVMware Workstation 14.0.x < 14.1.6 / 15.0.x < 15.0.3 Pixel Shader out-of-bounds read/write vulnerabilities (VMSA-2019-0012)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2019-0012.NASL
    descriptionPixel shader vulnerabilities VMware ESXi, Workstation and Fusion contain out-of-bounds read/write vulnerabilities in the pixel shader functionality. Exploitation of these issues require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. Successful exploitation of the out-of-bounds read issue (CVE-2019-5521) may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host. The out-of-bounds write issue (CVE-2019-5684) can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of this issue may lead to code execution on the host. Customers should check NVIDIA security advisory for additional information.
    last seen2020-06-01
    modified2020-06-02
    plugin id127807
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127807
    titleVMSA-2019-0012 : Out-of-bounds pixel shader vulnerabilities
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FUSION_VMSA_2019_0012.NASL
    descriptionThe version of VMware Fusion installed on the remote macOS or Mac OS X host is 10.0.x prior to 10.1.6 or 11.0.x prior to 11.0.3. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127135
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127135
    titleVMware Fusion 10.0.x < 10.1.6 / 11.0.x < 11.0.3 Pixel Shader out-of-bounds read/write vulnerabilities (VMSA-2019-0012)