Security Bulletin: Windows Privilege Impersonation Check affects NVIDIA Windows Device Driver for use on NVIDIA PCIe cards installed in System x servers (CVE-2015-1170)

Summary

The NVIDIA Windows Server 2008 and 2008 R2 Display Driver’s kernel administrator check improperly validates local client impersonation levels in some cases when using the NVIDIA Windows Device Driver for use on NVIDIA PCIe cards installed in System x Servers. NVIDIA’s PCIe cards are functioning within specification; this is a software implementation issue.

Vulnerability Details

Summary

The NVIDIA Windows Server 2008 and 2008 R2 Display Driver’s kernel administrator check improperly validates local client impersonation levels in some cases when using the NVIDIA Windows Device Driver for use on NVIDIA PCIe cards installed in System x Servers. NVIDIA’s PCIe cards are functioning within specification; this is a software implementation issue.

Vulnerability Details:

CVE-ID: CVE-2015-1170

Description: The NVIDIA Display Driver, as used by multiple products, could allow a local attacker to gain elevated privileges, caused by the failure to properly validate local client impersonation levels. An attacker could exploit this vulnerability using unspecified API calls to gain administrative privileges on the system.

CVSS Base Score: 7.2
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/101911 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)

The attacker must already have local access on the machine. Under certain conditions, a local user on the system can use improper impersonation behaviors of NVIDIA driver APIs to access resources that are intended for local administrator access only. Under these conditions, this behavior may lead to privilege escalation of the local user account, leading to a system compromise.

Affected products and versions

The following NVIDIA Server 2008 and 2008 R2 Windows Display Driver versions are affected:

• R304 -> prior to 309.08
• R340 -> prior to 341.44
• R343 -> prior to 345.20
• R346 -> prior to 347.52

In addition, the following NVIDIA products are affected:

NVIDIA Tesla M2xxx, K10, K20, K40, K80 series GPUs NVIDIA Quadro 6xx, 1xxx, 2xxx, 3xxx, 4xxx, 5xxx, 6xxx, K6xx, K2xxx, K4xxx, K5xxx, K6xxx series GPUs NVIDIA Grid GPUs

The following System x servers that have one or more of the NVIDIA products installed:

• BladeCenter HS22/HS22V with BladeCenter GPU Expansion Device
• BladeCenter HS23/HS23E with BladeCneter GPU Expansion Device
• Flex System x220 Compute node with PCIExpress Expansion Node
• Flex System x240 Compute node with PCIExpress Expansion Node
• System x iDataPlex dx360 M2
• System x iDataPlex dx360 M3
• System x iDataPlex dx360 M4
• System x NeXtScale nx360 M4
• System x NeXtScale nx360 M5
• System x3100 M4
• System x3200 M3
• System x3250 M3
• System x3250 M4
• System x3300 M4
• System x3400 M2
• System x3400 M3
• System x3500 M2
• System x3500 M3
• System x3500 M4
• System x3500 M5
• System x3520 M4
• System x3530 M4
• System x3550 M2
• System x3550 M3
• System x3550 M4
• System x3620 M3
• System x3630 M3
• System x3630 M4
• System x3650 M2
• System x3650 M3
• System x3650 M4
• System x3650 M5
• System x3690 X5
• System x3750 M2
• System x3750 M3
• System x3750 M4
• System x3850 X5
• System x3850 X6
• System x3950 X6

Remediation/Fixes:

It is recommended to apply the following fix for the version specified:

• R304 -> Version 309.08 or later
• R340 -> Version 341.44 or later
• R343 -> Version 345.20 or later
• R346 -> Version 347.52 or later

Instructions on how to download and apply these updates are available at:

<http://www.nvidia.com/Download/index.aspx?lang=en-us&gt;

Refer to NVIDIA Answer ID 3634 for patch and upgrade information:

<http://nvidia.custhelp.com/app/answers/detail/a_id/3634&gt;

Workarounds and Mitigations:

As the exploit requires local access and a user/process running as administrator to allow impersonation, safe computing practices can help mitigate your general risk.

As always, observe safe computing practices by:

• Only downloading or executing content and programs from trusted third parties.
• Run your system and programs with the least privilege necessary. Users should run without administrator rights whenever possible.
• When running as administrator, do not elevate UAC privileges for activities or programs that don’t need them.

Reference:

• Complete CVSS Guide
• On-line Calculator V2

Related Information:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

This bug was reported to NVIDIA by James Forshaw, Project Zero, Google.

Change History
30 April 2015: Original Copy Published

• The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Securiy Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.