In all, Nvidia patched flaws tied to 16 CVEs across its graphics motorists and vGPU software package, in its initially security update of 2021.
Nvidia, which can make gaming-helpful graphics processing models (GPUs), on Thursday mounted a slew of large-severity flaws influencing its graphics driver. The vulnerabilities let terrible actors to cripple methods with denial of provider attacks, escalate privileges, tamper with information or sniff out delicate knowledge.
Impacted is Nvidia’s graphics driver (formally identified as the GPU Display screen Driver) for Windows. The graphics driver is utilised in gadgets specific to enthusiast avid gamers it’s the software part that permits the device’s functioning process and plans to use its higher-level, gaming-optimized graphics components.
Nvidia’s Thursday security update addresses flaws tied to 16 CVEs general. The most significant of these (CVE‑2021‑1051) is an issue in the graphic drivers’ kernel method layer. This flaw ranks 8.4 out of 10 on the CVSS scale, generating it significant severity.
Kernel manner is frequently reserved for the cheapest-degree, most reliable functions of the working system in this scenario, the layer (nvlddmkm.sys) handler for the DxgkDdiEscape interface contains a glitch wherever an operation is carried out that could be abused to launch a denial-of-support (DoS) attack or escalate privileges.
A different significant-severity flaw (CVE‑2021‑1052) in this identical kernel manner layer (nvlddmkm.sys) handler for DxgkDdiEscape could allow for person-method shoppers to entry legacy privileged software programming interfaces (APIs). In accordance to Nvidia, this “may lead to denial of services, escalation of privileges, and information and facts disclosure.”
Nvidia also stomped out four medium-severity flaws in its graphics driver. A few of these (CVE‑2021‑1053, CVE‑2021‑1054, CVE‑2021‑1055) also stem from the kernel manner layer (nvlddmkm.sys) handler for DxgkDdiEscape, although the fourth (CVE‑2021‑1056) exists in a kernel manner layer (nvidia.ko) that does not completely honor working procedure file system permissions to give GPU product-stage isolation. That could permit for DoS or information disclosure.
Outside of its graphics drivers, Nvidia warned of flaws tied to 9 higher-severity CVEs in its virtual GPU (vGPU) software program. Nvidia’s vGPU produces graphics-forcused virtual desktops and workstations in tandem with the company’s details heart Tesla accelerator GPUs.
vGPU Program Flaws
Several of the flaws tackled in Nvidia’s Thursday security advisory stem from Nvidia’s vGPU supervisor, its resource that allows various digital machines to have simultaneous, immediate accessibility to a one physical GPU, although also applying Nvidia graphics motorists deployed on non-virtualized operating devices.
Just one substantial-severity flaw in exists in a plugin within just the vGPU supervisor (CVE‑2021‑1057). This issue could allow company to allocate some resources for which they are not authorized – which in accordance to Nvidia could direct to information integrity and confidentiality decline, DoS and information and facts disclosure. The vGPU manager also consists of a flaw in the vGPU plugin (CVE‑2021‑1059), in which an enter index is not validated, which could guide to integer overflow. A race condition (CVE‑2021‑1061) in the vGPU plugin of the vGPU manager could fundamentally trick it into employing a formerly validated useful resource that has considering the fact that modified, which may well lead to DoS or details disclosure.
And, in a further Nvidia vGPU plugin issue (CVE‑2021‑1065), enter information is not validated, which might guide to tampering of data or DoS.
Different Nvidia GeForce Windows and Linux driver branches are affected Nvidia has launched a total list of impacted variations and updated driver versions on its security advisory. The graphics chip company has furthermore produced fixes for precise variations of the vGPU software package impacted by these flaws on its web-site.
The security advisory is Nvidia’s to start with in 2021. Last calendar year, the corporation issued its good share of patches which include fixes for two higher-severity flaws in the Windows version of its GeForce Expertise program, and a patch for a critical bug in its large-effectiveness line of DGX servers, both equally in October and a high-severity flaw in its GeForce NOW application software package for Windows in November.
Supply-Chain Security: A 10-Place Audit Webinar: Is your company’s software package offer-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, commence identifying weaknesses in your supply-chain with actionable advice from experts – part of a confined-engagement and Reside Threatpost webinar. CISOs, AppDev and SysAdmin are invited to check with a panel of A-listing cybersecurity authorities how they can steer clear of becoming caught exposed in a article-SolarWinds-hack earth. Attendance is constrained: Sign-up Now and reserve a place for this unique Threatpost Provide-Chain Security webinar — Jan. 20, 2 p.m. ET.