The gaming- and AI-pleasant graphics accelerators can open up the door to a variety of cyberattacks.
Nvidia has disclosed a team of security vulnerabilities in the Nvidia graphics processing device (GPU) display driver, which could subject players and other individuals to privilege-escalation assaults, arbitrary code execution, denial of service (DoS) and info disclosure.
Meanwhile, the Nvidia digital GPU (vGPU) program also has a group of bugs that could lead to a selection of very similar assaults.
5 GPU Screen Driver Security Bugs
The most critical of the five bugs in the GPU display driver is tracked as CVE-2021-1074, which charges 7.5 out of 10 on the CVSS vulnerability scale, generating it superior-severity. It exists in the display driver’s installer, and allows an attacker with area program entry to swap an software resource with malicious documents. This kind of an attack may well lead to code execution, escalation of privileges, denial of service, or information and facts disclosure.
Another high-severity bug, CVE-2021-1075, charges 7.3 on the CVSS scale. NVIDIA Windows GPU Exhibit Driver for Windows, all variations, contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape the place the method dereferences a pointer that incorporates a location for memory that is no for a longer time legitimate, which might guide to code execution, denial of provider, or escalation of privileges.
Two medium-severity flaws, CVE-2021-1076 and CVE-2021-1077, both equally fee 6.6 on the CVSS scale. The former NVIDIA GPU Exhibit Driver for Windows and Linux, all variations, incorporates a vulnerability in the kernel method layer (nvlddmkm.sys or nvidia.ko) the place incorrect accessibility regulate may perhaps direct to denial of services, facts disclosure, or details corruption. The latter NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 driver branch, is made up of a vulnerability where by the software makes use of a reference depend to take care of a source that is incorrectly up to date, which may well direct to denial of assistance.
And eventually, the medium-severity CVE-2021-1078 prices 5.5 on the CVSS scale and NVIDIA Windows GPU Display screen Driver for Windows, all variations, has a vulnerability in the kernel driver (nvlddmkm.sys) where by a NULL pointer dereference may possibly guide to method crash.
8 Nvidia vGPU Application Vulnerabilities
Meanwhile, Nvidia’s vGPU software package has 8 distinctive security holes. The virtualized GPU permits computing acceleration tailored for resource-intensive workloads like graphics-prosperous digital workstations, knowledge science and artificial intelligence.
The to start with four bugs are superior-severity input-validation bugs that can direct to information disclosure, knowledge tampering or DoS.
These are:
- CVE‑2021‑1080 (7.8 on the CVSS scale): A vulnerability in the vGPU Manager (vGPU plugin), in which selected enter facts is not validated
- CVE‑2021‑1081 (7.8): A vulnerability in the visitor kernel mode driver and vGPU supervisor (vGPU plugin), in which an input duration is not validated
- CVE‑2021‑1082 (7.8): A vulnerability in the vGPU Supervisor (vGPU plugin), stemming from an input length not being validated
- CVE‑2021‑1083 (7.8): A vulnerability in the visitor kernel-mode driver and vGPU Supervisor (vGPU plugin), also arising from an input size not remaining validated.
The other four could lead to a wide variety of outcomes if exploited:
- CVE‑2021‑1084 (7.8): A vulnerability in the visitor kernel-manner driver and vGPU Supervisor (vGPU plugin), in which an input duration is not validated, which might lead to knowledge tampering or DoS
- CVE‑2021‑1085 (7.3): A vulnerability in the vGPU Manager (vGPU plugin) could allow for an attacker to compose to a shared-memory site and manipulate the knowledge immediately after the facts has been validated, which may guide to denial of services and escalation of privileges
- CVE‑2021‑1086 (7.1): A vulnerability in the vGPU Manager (vGPU plugin) permits visitors to command unauthorized sources, which could guide to integrity and confidentiality decline, or information and facts disclosure
- CVE‑2021‑1087 (5.5): A vulnerability in the vGPU Supervisor (vGPU plugin), could let an attacker to retrieve data that could lead to an address space structure randomization (ASLR) bypass, which in transform could crack open up the doorway to memory-corruption bug exploitation.
Nvidia has produced patches to mitigate all of the bugs, which takes advantage of can down load at through the Nvidia Driver Downloads page or, for the vGPU program update, by way of the Nvidia Licensing Portal. Affected version tables are available in Nvidia’s advisory, introduced Friday.
Nvidia proceeds to deal with security bugs on a common foundation. In January, it released fixes tied to 16 CVEs across its graphics drivers and vGPU computer software, in its very first security update of 2021. And quickly following, it issued patches for its Tesla-centered GPUs and its Protect Tv set lineup.
Obtain our exceptional Free Threatpost Insider E-book, “2021: The Evolution of Ransomware,” to help hone your cyber-protection procedures against this developing scourge. We go beyond the status quo to uncover what’s following for ransomware and the related emerging hazards. Get the total story and Obtain the Book now – on us!
Some parts of this article are sourced from:
threatpost.com