Author Topic: NVIDIA Fixes High Severity Flaw in Windows GPU Display Driver  (Read 122 times)

Online javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35125
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
NVIDIA Fixes High Severity Flaw in Windows GPU Display Driver
« on: February 29, 2020, 06:32:13 PM »
NVIDIA has released a GPU display driver security update today, February 28, 2020, that fixes high and medium severity vulnerabilities that might lead to code execution, local escalation of privileges, information disclosure, and denial of service on unpatched Windows computers.

All GPU display driver security flaws patched today by NVIDIA require local user access which means that attackers will not be able to exploit them remotely but, instead, will need to first get a foothold on the system to execute exploit code targeting one the fixed bugs.

While these security flaws require would-be attackers to have local user access, they can also be abused via malicious tools remotely dropped on systems running vulnerable NVIDIA GPU display drivers.

Today's security updates also fix one high severity and two medium severity flaws in the NVIDIA Virtual GPU Manager and the NVIDIA vGPU graphics driver for the guest OS that could lead to denial of service states when triggered.

Windows driver security issues

The two GPU display driver issues come with CVSS V3 base scores ranging from 6.7 to 8.4 and impact Windows machines, while the three NVIDIA vGPU software bugs have severity ratings between 5.5 and 7.8.

By abusing these security issues, attackers can easily escalate their privileges without needing user interaction to gain permissions above the ones initially granted by the compromised systems.

The bugs could also allow them to render unpatched machines temporarily unusable by triggering denial of service states, to execute malicious code, or to access sensitive information on targeted systems.

The software security issues fixed by NVIDIA as part of the February 2020 security update are listed in the table below, with full descriptions and CVSS V3 base scores.



According to NVIDIA's security bulletin published today, the "risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation."

However, as the advisory adds, "NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration."

The high severity CVE‑2020‑5957 flaw affecting the NVIDIA Windows GPU Display Driver which may lead to denial of service or escalation of privileges was reported by Zhiniang Peng of Qihoo 360 Core Security and Xuefeng Li.

Impacted GPU driver versions

Today's NVIDIA GPU Display Driver - February 2019 security bulletin also lists the affected and patched GPU display driver versions:



NVIDIA says that some users who will not patch the flaws manually may also receive the Windows GPU display driver 442.05 and 436.73 versions containing today's security updates from their computer hardware vendors.

"The table above may not be a comprehensive list of all affected versions or branch releases and may be updated as more information becomes available," NVIDIA adds.

"Earlier software branch releases that support these products are also affected. If you are using an earlier branch release, upgrade to the latest branch release."

NVIDIA advises all customers to patch their GeForce, Quadro, NVS, and Tesla Windows GPU display drivers by applying the security update available on the NVIDIA Driver Downloads page.

Enterprise NVIDIA vGPU software users will have to log into the NVIDIA Enterprise Application Hub to get the updates from the NVIDIA Licensing Center.

To find out which NVIDIA display driver version you currently have installed on your computer you can follow the detailed procedure detailed here.

source