NVIDIA has released security updates to address a dozen vulnerabilities in GPU display drivers and vGPU software, some of them could lead to code execution.
“NVIDIA has released a software security update for NVIDIA GPU Display Driver. This update addresses issues that may lead to denial of service, escalation of privileges, or information disclosure.” reads the security advisory published by NVIDIA.
“To protect your system, download and install this software update through the NVIDIA Driver Downloads page or, for the vGPU software update, through the NVIDIA Licensing Portal.”
One of the most severe vulnerabilities affecting the GPU drivers is the CVE‑2020‑5962 that affects the NVIDIA GPU display driver, it could be exploited by a local attacker to elevate privileges or cause a denial of service (DoS) condition.
Another severe flaw is CVE‑2020‑5963 which impacts in the CUDA driver, the second resides in the Inter Process Communication APIs and could lead to code execution, DoS, or information disclosure.
NVIDIA also addressed 4 vulnerabilities (CVE‑2020‑5964, CVE‑2020‑5965, CVE‑2020‑5966, CVE‑2020‑5967) affecting the GPU display driver,
The most severe one is the CVE‑2020‑5964 which could lead to code execution, denial of service, or information disclosure.
The company addressed four vulnerabilities in the vGPU plugin of the Virtual GPU Manager that could be exploited to execute code, cause a DoS condition, escalate privileges, or leak data,
The issues are caused by the incorrect restriction of operations within the boundaries of a resource (CVE‑2020‑5968), a race condition (CVE‑2020‑5969), lack of validation of input data size (CVE‑2020‑5970), or the reference of memory locations after the targeted buffer (CVE‑2020‑5971).
The flaws addressed by the vendor affect multiple versions of the GeForce, Quadro, NVS, and Tesla drivers for Windows and Linux, as well as various iterations of vGPU software for Windows, Linux, Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux with KVM, and Nutanix AHV.
(SecurityAffairs – hacking, GPU)