This week, NVIDIA engineers released security updates, fixing many vulnerabilities in their products: graphics drivers and GeForce Experience.
Fortunately, all the fixed problems require local access to the system and cannot be used remotely, that means that previously the attackers will have to compromise the target machine in a different way.
In total, eight vulnerabilities were fixed in the NVIDIA GPU Display Driver that could lead to a denial of service, privilege escalation, or information disclosure.
“This update addresses issues that may lead to code execution, information disclosure, or denial of service. To protect your system, download and install this software update through the GeForce Experience Downloads page”, — said in NVIDIA bulletin.
The most serious of these errors are two vulnerabilities in nvlddmkm.sys. The bugs have identifiers CVE‑2019‑5690 and CVE‑2019‑5691, and they scored 7.8 points on the CVSS vulnerability rating scale. Both problems can lead to denial of service or privilege escalation. Another vulnerability, CVE‑2019‑5692, also affects the same component and could also lead to privilege escalation or denial of service.
Three vulnerabilities have been fixed in the NVIDIA GeForce Experience, and their use can lead to the execution of arbitrary code, disclosure of information or denial of service.
The most serious is CVE‑2019‑5701 (CVSS score — 7.8 points).
“When you turn on the GameStream, the bug allows an attacker with local access to the system to load the Intel graphics driver DLL without checking. This could result in denial of service, disclosure of information, or privilege escalation”, – NVIDIA GeForce Experience developers report.
The vulnerability in the Downloader component is also dangerous (CVE‑2019-5689, CVSS score is 6.7 points), it can be used by an attacker with local access to download malicious files. This can lead to code execution, denial of service, or disclosure of confident information.
All vulnerabilities have already been fixed in the Windows version of the NVIDIA GPU Display Driver 441.12 (for GeForce and Quadro versions of NVS R440) and the version of NVIDIA GeForce Experience 3.20.1.
The fixes also include NVIDIA GPU 8.2 (driver 426.26) for Windows and GPU 8.2 (driver 418.109) for Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, and Nutanix AHV. In addition, NVIDIA developers promise to release patches for other versions of Quadro, NVS, Tesla and GPU in a week.