Bottom line: The latest Nvidia drivers have been discovered to patch eight serious security flaws, which, if exploited, can lead to denial of distribution, privilege escalation, code execution, and sensitive information disclosure. While these exploits require local access and software using them doesn’t exist in the wild, the Common Vulnerability Scoring System rates their deadliness as “high” so it’s best not to dally with updating your system.
Denial of service attacks can render the computer or the GPU inoperable, either by forcing a crash or by flooding it with more information than it can handle.
Privilege escalation can work in two ways: it can let attackers imitate other users or network devices to access their information and abilities (horizontal escalation), or it can let them access all data and control the computer (vertical escalation).
Code execution lets attackers run any software they want, and information disclosure means that attackers can see anything from how devices are configured to stored passwords.
The eight vulnerabilities have been given Common Vulnerability and Exposures (CVE) names, going from CVE-2019-5665 to CVE-2019-5671. The last vulnerability, CVE-2018-6260, is distinct from the rest because it is the only one to affect Linux in addition to Windows, and because it is much less severe, only letting attackers access GPU application data. They’ve also all been given Common Vulnerability Scoring System (CVSS) ratings, including 8.8 (high), 7.8 (high), 6.5 (medium) and 2.2 (low).
|Denial of Service||✔||✔||✔||✔||✔||✔||✔|
Vulnerabilities given a CVSS of 8.8 require local access, are of low complexity, require low privileges and no user interaction. They can affect other devices on the computer and have a high impact on system data confidentiality, integrity, and availability. Dropping to 7.8 means the vulnerability can’t impact resources the GPU wasn’t already able to access and dropping to 6.5 means there’s no impact to system data confidentiality or integrity.
While there’s no software buzzing around the Internet exploiting these vulnerabilities, we still recommend checking to see if your drivers are up to date and updating them if not. Version 419.17, released on February 22, will do the trick for GeForce and Quadro products on Windows, and 418.43 includes fixes for Linux.