NVIDIA released a security update for its
drivers, fixing several issues that could lead to denial of service, escalation
of privileges, or information disclosure. The update covers multiple vulnerabilities
affecting both the display driver and the Virtual GPU Manager (VGPU).
All software and hardware have the
potential to host vulnerabilities. NVIDIA’s GPUs are no exception, although
they do not have to fix all that often. Issues with GPUs are not easy to
exploit, but when vulnerabilities do present themselves, they need to be
patched because they can open the way for attackers.
The biggest issue underlined by NVIDIA
has a base severity score of 8.4 (CVE‑2020‑5957), which is
considered high. While details about the security issue were not provided, the
company did explain, briefly, the potential effects.
“NVIDIA Windows GPU Display Driver
contains a vulnerability in the NVIDIA Control Panel component in which an
attacker with local system access can corrupt a system file, which may lead to
denial of service or escalation of privileges,” says the advisory.
The other high-severity vulnerability,
CVE‑2020‑5959, is just as cryptic: “NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU
plugin, in which an input index value is incorrectly validated, which may lead
to denial of service.”
The security vulnerabilities affect all
GeForce R440 versions prior to 442.50, a selection of Quadro and NVS versions
as well, and all Tesla versions, including R418 and R440.
Depending on the affected version, some fixes
are set to arrive as soon as March 9th, 2020, with others landing a month
later, in April. As usual, users are advised to upgrade their drivers as soon
the security patches arrive with the latest NVIDIA drivers.