This month, NVIDIA developers eliminated multiple denial of service (DoS) vulnerabilities in company drivers as well as in the NVIDIA Virtual GPU Manager.
So, in the GPU display driver, two shortcomings were eliminated, the most important of which is CVE ‑ 020-5957 (8.4 points on the CVSS vulnerability rating scale) found in the NVIDIA Control Panel component. An attacker with local system access using this vulnerability could exploit it to corrupt system files, which could lead to a denial of service or privilege escalation.
Another vulnerability that was fixed in the Windows driver is CVE ‑ 2020‑5958 (6.7 points on the CVSS vulnerability rating scale). The problem is also related to the Control Panel component and can be used by a local attacker to host malicious DLL files for code execution, DoS attacks or information disclosure.
NVIDIA fixed errors in the GPU Display Driver in version 442.50 (for GeForce, Quadro and NVS with R440), version 432.28 (for Quadro, NVS with R430), version 426.50 (for Quadro, NVS with R418) and version 392.59 (for Quadro, NVS with R390). For Tesla products running R418, GPU Display Driver 426.50 has been released. An update for R440 versions is due out March 9, 2020.
In addition, NVIDIA engineers resolved three vulnerabilities in the Virtual GPU Manager, the most important of which is CVE ‑ 2020–5959 (7.8 points on the CVSS vulnerability rating scale). The problem is with the vGPU plugin. An incorrect input index can result in a denial of service.
The second bug fixed in vGPU is CVE ‑ 2020‑5960 (6.5 points on the CVSS vulnerability rating scale), and it occurs in the kernel module (nvidia.ko), where a null pointer dereference can occur, which also leads to a denial of service .
The vulnerability in the vGPU driver for guest operating systems was also fixed (CVE ‑ 2020-5961, 5.5 points on the CVSS vulnerability rating scale). The problem could affect the guest virtual machine, resulting in a denial of service.
Version 8.3 fixes have already been released for vGPU: vGPU graphics driver version 426.52 for Windows and version 418.130 for Linux. Corrections for vGPU versions 9.0–9.2 will be released on March 9, and corrections for versions 10.0 and 10.1 are scheduled for April 2020.
For Virtual GPU Manager (for Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, and Nutanix AHV) versions 8.0–8.2, fixes are included in version 8.3 (driver version 418.130). Corrections for versions 9.0–9.2 will appear next week on March 9, and corrections for versions 10.0 and 10.1 are also planned for April.