Nvidia releases security update for high-severity graphics driver vulnerabilities

Nvidia has released a round of security fixes tackling high-severity issues in the Nvidia GPU display driver and vGPU software. 

Released on Thursday, the technology giant said the patches deal with issues that "may lead to denial of service, escalation of privileges, data tampering, or information disclosure."

In total, Nvidia has resolved 16 vulnerabilities linked to the Nvidia GPU display driver used to support graphics processing units, as well in vGPU software for virtual workstations, servers, apps, and PCs. 

The most severe vulnerability dealt with in Nvidia's latest security round is CVE‑2021‑1051. Issued a CVSS score of 8.4, the problem impacts the kernel mode layer for the Windows GPU display driver. If exploited, this flaw can lead to denial of service or privilege escalation. 

CVE‑2021‑1052 is the second highest-severity vulnerability in the driver, but this bug impacts both Windows and Linux. The security flaw, awarded a severity score of 7.8, is also found in the kernel mode layer and permits user-mode clients access to legacy, privileged APIs. As a result, an exploit leveraging this vulnerability could lead to denial of service, privileges escalation, and information leaks. 

Nvidia has also resolved CVE‑2021‑1053, a display driver bug for Windows and Linux machines with a CVSS score of 6.6, indicating this vulnerability is considered a moderate/important issue. Improper validation of a user pointer targeted at the same kernel mode layer can lead to denial of service. 

Two other problems impact Windows machines specifically, in the same kernel mode layer, which are tracked as CVE‑2021‑1054 and CVE‑2021‑1055 with severity scores of 6.5 and 5.3, respectively. These vulnerabilities involve failures to perform authorization checks and improper access controls, and are exploitable to cause denial of service. CVE‑2021‑1055 may also lead to data leaks. 

The last vulnerability impacts Linux PCs only. Tracked as CVE‑2021‑1056 and issued a CVSS score of 5.3, this bug has been caused by operating system file system permissions errors, prompting information disclosure and denial of service. 

In total, 10 of the vulnerabilities reported impact Nvidia vGPU, eight of which relate to the vGPU manager.

With the exception of CVE‑2021‑1066, a moderate CVSS 5.5 input validation issue in vGPU manager leading to resource overload and denial of service, each vulnerability has been issued a severity score of 7.8. 

Nvidia has patched eight vGPU manager and plugin vulnerabilities ranging from input data validation errors to race conditions and untrusted source values. These security flaws could lead to information disclosure, integrity and confidentiality loss, and data tampering. 

Two input index validation vulnerabilities, CVE‑2021‑1058 and CVE‑2021‑1060, impact the guest kernel mode driver and vGPU plugin. The first can be triggered to cause an integer overflow, allowing data tampering, data leaks, and denial of service, whereas the second can be exploited for service denial and data manipulation.

In order to stay protected, Nvidia has recommended that users accept automatic security updates, or download them directly. 

Previous and related coverage

• Chip industry is going to need a lot more software to catch Nvidia's lead in AI
  
• Nvidia CEO Jensen Huang says ARM's been too specific, needs to be a broad computing platform
  
• Nvidia tackles code execution flaws, data leaks in GeForce Experience
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0