Security Bulletin: Vulnerabilities affect NVIDIA GPU Display Drivers for Linux and Windows

Summary

NVIDIA has released an update to address the following vulnerabilities in GPU Display Drivers for Linux and Windows.

Vulnerability Details

CVEID: CVE-2018-6260 DESCRIPTION: NVIDIA graphics driver could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the GPU performance counters. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 2.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152869&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-5671 DESCRIPTION: NVIDIA GeForce Windows GPU Display driver is vulnerable to a denial of service, caused by a flaw in the handler for DxgkDdiEscape in kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157948&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2019-5670 DESCRIPTION: NVIDIA GeForce Windows GPU Display driver could allow a local authenticated attacker to execute arbitrary code on the system, caused by a flaw in the handler for DxgkDdiEscape in kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code, cause a denial of service condition, gain elevated privileges or obtain sensitive information.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157947&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-5669 DESCRIPTION: NVIDIA GeForce Windows GPU Display driver is vulnerable to a denial of service, caused by a flaw in the handler for DxgkDdiEscape in kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition, or gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157946&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-5668 DESCRIPTION: NVIDIA GeForce Windows GPU Display driver is vulnerable to a denial of service, caused by a flaw in the handler for DxgkDdiSubmitCommandVirtual in kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition, or gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157945&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-5667 DESCRIPTION: NVIDIA GeForce Windows GPU Display driver could allow a local authenticated attacker to execute arbitrary code on the system, caused by a flaw in the handler for DxgkDdiSetRootPageTable in kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code, cause a denial of service condition or gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157944&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-5666 DESCRIPTION: NVIDIA GeForce Windows GPU Display driver is vulnerable to a denial of service, caused by improper calculating or using an array index in the kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition, or gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157943&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-5665 DESCRIPTION: NVIDIA GeForce Windows GPU Display driver could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper handling of hard links in the 3D vision component. By using a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code, cause a denial of service condition or gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157942&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Product

|

Affected Version

—|—
NVIDIA Display Driver for Linux | 367.27
NVIDIA Display Driver for Windows 2012 R2, 2012 and 2008 R2 | 368.86

Remediation/Fixes

Firmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/&gt;

Product

|

Fixed Version

—|—
NVIDIA Display Driver for Linux
(NVIDIA-Linux-x86_64-410.104) |

410.104

NVIDIA Display Driver for Windows 2012 R2, 2012 and 2008 R2

(412.29-tesla-desktop-winserver2008-2012r2-64bit-international)

| 412.29

Workarounds and Mitigations

None