Security Bulletin: NVIDIA GPU Display Driver Security Updates for Multiple Vulnerabilities

NVIDIA GPU display driver vulnerabilities may lead to code execution, denial of service, information disclosure, or escalation of privileges. Go to NVIDIA Product Security.

Vulnerability Details

This section summarizes the potential vulnerabilities. Descriptions use CWE™ and risk assessments follow CVSS.

CVE-2018-6247

NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where a NULL pointer dereference may lead to denial of service or possible escalation of privileges.

CVSS Base Score: 8.8 CVSS Temporal Score: 7.9 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

CVE-2018-6248

NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer handler for DxgkDdiEscape where the software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer which may lead to denial of service or possible escalation of privileges.

CVSS Base Score: 8.8 CVSS Temporal Score: 7.9 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

CVE-2018-6249

NVIDIA GPU Display Driver contains a vulnerability in kernel mode layer handler where a NULL pointer dereference may lead to denial of service or potential escalation of privileges.

CVSS Base Score: 8.8 CVSS Temporal Score: 7.9 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

CVE-2018-6250

NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where a NULL pointer dereference occurs, which may lead to denial of service or possible escalation of privileges.

CVSS Base Score: 8.2 CVSS Temporal Score: 7.1 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

CVE-2018-6251

NVIDIA Windows GPU Display Driver contains a vulnerability in the DirectX 10 Usermode driver, where a specially crafted pixel shader can cause writing to unallocated memory, leading to denial of service or potential code execution.

CVSS Base Score: 7.0 CVSS Temporal Score: 6.3 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

CVE-2018-6252

NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer handler for DxgkDdiEscape where the software allows an actor access to restricted functionality that is unnecessary for production usage, and which may result in denial of service.

CVSS Base Score: 6.5 CVSS Temporal Score: 5.9 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C

CVE-2018-6253

NVIDIA GPU Display Driver contains a vulnerability in the DirectX and OpenGL Usermode drivers where a specially crafted pixel shader can cause infinite recursion leading to denial of service.

CVSS Base Score: 5.5 CVSS Temporal Score: 5.0 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C

NVIDIA’s risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration. NVIDIA doesn’t know of any exploits of these issues at this time.

Affected Software

The following software is impacted by the issues described in this bulletin.

CVEs	Software Products	Operating Systems
CVE-2018-6247 CVE-2018-6248 CVE-2018-6249 CVE-2018-6250 CVE-2018-6251 CVE-2018-6252	GeForce Quadro NVS Tesla	Windows
CVE-2018-6249 CVE-2018-6253	GeForce Quadro NVS Tesla	Windows Linux FreeBSD Solaris

Notes:

• For available security updates, see Software Security Updates.
• The table may not be a comprehensive list of all impacted software versions or driver branches and may be updated as more information becomes available. For the latest information, check for updates to this bulletin or go to NVIDIA Product Security to subscribe to security bulletin notifications.
• Support may have expired for certain software versions or driver branches. Check the Windows legacy GPU releases and UNIX legacy GPU releases or contact NVIDIA Support with any questions.

Software Security Updates

The following supported software versions contain the security updates for the issues described in this bulletin. If you are using an unsupported software version or an earlier driver branch that is no longer supported, upgrade to one of the updated supported versions listed.

Windows

Product	Product Series	OS	Driver Branch	Updated Versions
GeForce	All	Windows	R390	391.35 including HD Audio 1.3.36.6
Quadro, NVS	All	Windows	R390	391.33 including HD Audio 1.3.36.6
R384	386.28 including HD Audio 1.3.36.6
Tesla	All	Windows	R390	391.29 including HD Audio 1.3.36.6
R384	386.28 including HD Audio 1.3.36.6

Linux

Product	Product Series	OS	Driver Branch	Updated Versions
GeForce	All	Linux, FreeBSD, Solaris	R390	390.48
R384	384.130
Quadro, NVS	All	Linux, FreeBSD, Solaris	R390	390.48
R384	384.130
Tesla	All	Linux	R390	390.46
R384	384.125

Notes

• Download GPU fixes from the NVIDIA Driver Downloads page.
• If you are an Enterprise Services customer using DGX-1 or DGX Station, visit the NVIDIA Support Enterprise Services portal for guidance.
• Your computer hardware vendor may provide you with security updates in a driver version not listed in the tables above. If so, check the vendor’s security bulletin to determine which driver versions from the vendor contain the security updates.

Mitigations

None.

Acknowledgements

CVE-2018-6251: NVIDIA thanks Piotr Bania of Cisco Talos for reporting this issue to NVIDIA PSIRT.

CVE-2018-6253: NVIDIA thanks the member of Cisco Talos for reporting this issue to NVIDIA PSIRT.