Security Notice: NVIDIA Response to “Rendered Insecure: GPU Side Channel Attacks are Practical” - November 2018

2018-11-0900:00:00

nvidia.custhelp.com

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

5.1%

JSON

November 9, 2018 This notice is a response to the October 2018 publication “Rendered Insecure: GPU Side Channel Attacks are Practical” regarding a software security issue in the NVIDIA GPU Graphics Driver. NVIDIA worked closely with the researchers and evaluated the issue following the Coordinated Vulnerability Disclosure process. NVIDIA assessed this issue with a base CVSS V3 score of 2.2 (low). NVIDIA will address the issue with a driver release and post a security bulletin on the NVIDIA Product Security page.

February 22, 2019 Update

NVIDIA has released updated drivers to address this issue. For more information, see Security Bulletin: NVIDIA GPU Display Driver - February 2019.

Details

CVE	Description	Base Score	CVSS V3 Vector
CVE‑2018‑6260	NVIDIA graphics driver contains a vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. Local user access is required. This is not a network or remote attack vector.	2.2	AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Visit the NVIDIA Product Security page to

Subscribe to security bulletin notifications
See the current list of NVIDIA security bulletins
Report a potential vulnerability in any NVIDIA supported product
Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)