In all, Nvidia patched flaws tied to 16 CVEs throughout its graphics drivers and vGPU software, in its first security update of 2021.
Nvidia, which makes gaming-helpful graphics processing models (GPUs), on Thursday fixed a slew of superior-severity flaws impacting its graphics driver. The vulnerabilities enable terrible actors to cripple systems with denial of services attacks, escalate privileges, tamper with information or sniff out sensitive info.
Affected is Nvidia’s graphics driver (formally acknowledged as the GPU Screen Driver) for Windows. The graphics driver is utilised in products targeted to enthusiast avid gamers it is the computer software ingredient that enables the device’s operating method and applications to use its substantial-amount, gaming-optimized graphics hardware.
Nvidia’s Thursday security update addresses flaws tied to 16 CVEs overall. The most extreme of these (CVE‑2021‑1051) is an issue in the graphic drivers’ kernel manner layer. This flaw ranks 8.4 out of 10 on the CVSS scale, making it large severity.
Kernel method is normally reserved for the most affordable-amount, most trustworthy features of the operating process in this scenario, the layer (nvlddmkm.sys) handler for the DxgkDdiEscape interface incorporates a glitch wherever an procedure is performed that could be abused to start a denial-of-services (DoS) attack or escalate privileges.
Another substantial-severity flaw (CVE‑2021‑1052) in this identical kernel manner layer (nvlddmkm.sys) handler for DxgkDdiEscape could make it possible for user-method consumers to entry legacy privileged software programming interfaces (APIs). According to Nvidia, this “may lead to denial of service, escalation of privileges, and info disclosure.”
Nvidia also stomped out four medium-severity flaws in its graphics driver. Three of these (CVE‑2021‑1053, CVE‑2021‑1054, CVE‑2021‑1055) also stem from the kernel manner layer (nvlddmkm.sys) handler for DxgkDdiEscape, whilst the fourth (CVE‑2021‑1056) exists in a kernel manner layer (nvidia.ko) that does not entirely honor operating method file method permissions to provide GPU unit-level isolation. That could permit for DoS or information disclosure.
Beyond its graphics motorists, Nvidia warned of flaws tied to nine superior-severity CVEs in its virtual GPU (vGPU) computer software. Nvidia’s vGPU results in graphics-forcused digital desktops and workstations in tandem with the company’s info centre Tesla accelerator GPUs.
vGPU Software Flaws
Quite a few of the flaws tackled in Nvidia’s Thursday security advisory stem from Nvidia’s vGPU supervisor, its instrument that permits various virtual machines to have simultaneous, direct entry to a one physical GPU, even though also making use of Nvidia graphics drivers deployed on non-virtualized working systems.
One particular large-severity flaw in exists in a plugin in just the vGPU manager (CVE‑2021‑1057). This issue could allow for attendees to allocate some methods for which they are not approved – which according to Nvidia could lead to facts integrity and confidentiality reduction, DoS and details disclosure. The vGPU manager also is made up of a flaw in the vGPU plugin (CVE‑2021‑1059), in which an enter index is not validated, which could lead to integer overflow. A race affliction (CVE‑2021‑1061) in the vGPU plugin of the vGPU supervisor could essentially trick it into using a earlier validated source that has because modified, which may perhaps guide to DoS or info disclosure.
And, in a different Nvidia vGPU plugin issue (CVE‑2021‑1065), input data is not validated, which could direct to tampering of info or DoS.
Numerous Nvidia GeForce Windows and Linux driver branches are affected Nvidia has introduced a complete list of influenced versions and up-to-date driver variations on its security advisory. The graphics chip producer has also unveiled fixes for precise variations of the vGPU application affected by these flaws on its site.
The security advisory is Nvidia’s 1st in 2021. Past 12 months, the enterprise issued its good share of patches such as fixes for two superior-severity flaws in the Windows model of its GeForce Experience software program, and a patch for a critical bug in its higher-general performance line of DGX servers, both in Oct and a superior-severity flaw in its GeForce NOW application software for Windows in November.
Provide-Chain Security: A 10-Issue Audit Webinar: Is your company’s program provide-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start out pinpointing weaknesses in your provide-chain with actionable information from industry experts – part of a constrained-engagement and Stay Threatpost webinar. CISOs, AppDev and SysAdmin are invited to check with a panel of A-list cybersecurity experts how they can stay away from currently being caught exposed in a write-up-SolarWinds-hack earth. Attendance is limited: Register Now and reserve a place for this special Threatpost Supply-Chain Security webinar — Jan. 20, 2 p.m. ET.
Some components of this write-up are sourced from: