FreeBSD : NVIDIA UNIX driver -- access to arbitrary system memory (b91234e7-9a8b-11e1-b666-001636d274f3)

2012-05-14T00:00:00
ID FREEBSD_PKG_B91234E79A8B11E1B666001636D274F3.NASL
Type nessus
Reporter This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2012-05-14T00:00:00

Description

NVIDIA Unix security team reports :

Security vulnerability CVE-2012-0946 in the NVIDIA UNIX driver was disclosed to NVIDIA on March 20th, 2012. The vulnerability makes it possible for an attacker who has read and write access to the GPU device nodes to reconfigure GPUs to gain access to arbitrary system memory. NVIDIA is not aware of any reports of this vulnerability, outside of the disclosure which was made privately to NVIDIA.

NVIDIA has identified the root cause of the vulnerability and has released updated drivers which close it. [NVIDIA encourages] all users with Geforce 8 or newer, G80 Quadro or newer, and all Tesla GPUs to update their drivers to 295.40 or later.

Later, it was additionally discovered that similar exploit could be achieved through remapping of VGA window :

NVIDIA received notification of a security exploit that uses NVIDIA UNIX device files to map and program registers to redirect the VGA window. Through the VGA window, the exploit can access any region of physical system memory. This arbitrary memory access can be further exploited, for example, to escalate user privileges.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(59086);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2012-0946", "CVE-2012-4225");

  script_name(english:"FreeBSD : NVIDIA UNIX driver -- access to arbitrary system memory (b91234e7-9a8b-11e1-b666-001636d274f3)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"NVIDIA Unix security team reports :

Security vulnerability CVE-2012-0946 in the NVIDIA UNIX driver was
disclosed to NVIDIA on March 20th, 2012. The vulnerability makes it
possible for an attacker who has read and write access to the GPU
device nodes to reconfigure GPUs to gain access to arbitrary system
memory. NVIDIA is not aware of any reports of this vulnerability,
outside of the disclosure which was made privately to NVIDIA.

NVIDIA has identified the root cause of the vulnerability and has
released updated drivers which close it. [NVIDIA encourages] all users
with Geforce 8 or newer, G80 Quadro or newer, and all Tesla GPUs to
update their drivers to 295.40 or later.

Later, it was additionally discovered that similar exploit could be
achieved through remapping of VGA window :

NVIDIA received notification of a security exploit that uses NVIDIA
UNIX device files to map and program registers to redirect the VGA
window. Through the VGA window, the exploit can access any region of
physical system memory. This arbitrary memory access can be further
exploited, for example, to escalate user privileges."
  );
  # https://vuxml.freebsd.org/freebsd/b91234e7-9a8b-11e1-b666-001636d274f3.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?972674c6"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:nvidia-driver");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/03/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/14");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"nvidia-driver>173.14.35_2<295.71")) flag++;
if (pkg_test(save_report:TRUE, pkg:"nvidia-driver>96.43.20_3<173.14.35")) flag++;
if (pkg_test(save_report:TRUE, pkg:"nvidia-driver>71.86.15_3<96.43.20_2")) flag++;
if (pkg_test(save_report:TRUE, pkg:"nvidia-driver<71.86.15_2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");