Nvidia, which makes gaming-friendly graphics processing units (GPUs), on Thursday fixed a slew of high-severity flaws affecting its graphics driver. The vulnerabilities allow bad actors to cripple systems with denial of service attacks, escalate privileges, tamper with data or sniff out sensitive data.
Affected is Nvidia’s graphics driver (formally known as the GPU Display Driver) for Windows. The graphics driver is used in devices targeted to enthusiast gamers; it’s the software component that enables the device’s operating system and programs to use its high-level, gaming-optimized graphics hardware.
Nvidia’s Thursday security update addresses flaws tied to 16 CVEs overall. The most severe of these (CVE‑2021‑1051) is an issue in the graphic drivers’ kernel mode layer. This flaw ranks 8.4 out of 10 on the CVSS scale, making it high severity.
Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system; in this case, the layer (nvlddmkm.sys) handler for the DxgkDdiEscape interface contains a glitch where an operation is performed that could be abused to launch a denial-of-service (DoS) attack or escalate privileges.
Another high-severity flaw (CVE‑2021‑1052) in this same kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape could allow user-mode clients to access legacy privileged application programming interfaces (APIs). According to Nvidia, this “may lead to denial of service, escalation of privileges, and information disclosure.”
Nvidia also stomped out four medium-severity flaws in its graphics driver. Three of these (CVE‑2021‑1053, CVE‑2021‑1054, CVE‑2021‑1055) also stem from the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape, while the fourth (CVE‑2021‑1056) exists in a kernel mode layer (nvidia.ko) that does not completely honor operating system file system permissions to provide GPU device-level isolation. That could allow for DoS or information disclosure.
Beyond its graphics drivers, Nvidia warned of flaws tied to nine high-severity CVEs in its virtual GPU (vGPU) software. Nvidia’s vGPU creates graphics-forcused virtual desktops and workstations in tandem with the company’s data center Tesla accelerator GPUs.
vGPU Software Flaws
Many of the flaws addressed in Nvidia’s Thursday security advisory stem from Nvidia’s vGPU manager, its tool that enables multiple virtual machines to have simultaneous, direct access to a single physical GPU, while also using Nvidia graphics drivers deployed on non-virtualized operating systems.
One high-severity flaw in exists in a plugin within the vGPU manager (CVE‑2021‑1057). This issue could allow guests to allocate some resources for which they are not authorized – which according to Nvidia could lead to data integrity and confidentiality loss, DoS and information disclosure. The vGPU manager also contains a flaw in the vGPU plugin (CVE‑2021‑1059), in which an input index is not validated, which could lead to integer overflow. A race condition (CVE‑2021‑1061) in the vGPU plugin of the vGPU manager could essentially trick it into using a previously validated resource that has since changed, which may lead to DoS or information disclosure.
And, in another Nvidia vGPU plugin issue (CVE‑2021‑1065), input data is not validated, which may lead to tampering of data or DoS.
Various Nvidia GeForce Windows and Linux driver branches are affected; Nvidia has released a full list of affected versions and updated driver versions on its security advisory. The graphics chip manufacturer has likewise released fixes for specific versions of the vGPU software affected by these flaws on its website.
The security advisory is Nvidia’s first in 2021. Last year, the company issued its fair share of patches; including fixes for two high-severity flaws in the Windows version of its GeForce Experience software, and a patch for a critical bug in its high-performance line of DGX servers, both in October; and a high-severity flaw in its GeForce NOW application software for Windows in November.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar — Jan. 20, 2 p.m. ET.