NVIDIA engineers released this week updates safetyby removing many vulnerabilities in its products: graphics drivers and GeForce Experience. Fortunately, all the fixed problems require local access to the system and cannot be used remotely, that is, previously the attackers will have to compromise the target machine in a different way.
In total, eight vulnerabilities were fixed in the NVIDIA GPU Display Driver that could lead to a denial of service, privilege escalation, or information disclosure.
The most serious of these errors are two vulnerabilities in nvlddmkm.sys. The bugs have identifiers CVE ‑ 2019‑5690 and CVE ‑ 2019‑5691, and they scored 7.8 points on the CVSS vulnerability rating scale. Both problems can lead to denial of service or privilege escalation. Another vulnerability, CVE ‑ 2019‑5692, also affects the same component and could also lead to privilege escalation or denial of service.
Three vulnerabilities have been fixed in the NVIDIA GeForce Experience, and their use can lead to the execution of arbitrary code, disclosure of information or denial of service.
The most serious is CVE ‑ 2019‑5701 (CVSS score —7.8 points): when you turn on the GameStream, the bug allows an attacker with local access to the system to load the Intel graphics driver DLL without checking. This may result in denial of service, disclosure of information, or privilege escalation.
The vulnerability in the Downloader component is also dangerous (CVE ‑ 2019-5689, CVSS score is 6.7 points), it can be used by an attacker with local access to download malicious files. This can lead to code execution, denial of service, or disclosure.
All vulnerabilities have already been fixed in the Windows version of the NVIDIA GPU Display Driver 441.12 (for GeForce and Quadro versions of NVS R440) and the version of NVIDIA GeForce Experience 3.20.1.
The fixes also include NVIDIA GPU 8.2 (driver 426.26) for Windows and GPU 8.2 (driver 418.109) for Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, and Nutanix AHV. In addition, NVIDIA developers promise to release patches for other versions of Quadro, NVS, Tesla and GPU in a week.