In brief: Three of the vulnerabilities – CVE-2019-5683, CVE-2019-5684 and CVE-2019-5685 – have been classified as high-risk with scores of 8.8, 7.8 and 7.8, respectively, while the other two vulnerabilities – CVE-2019-5686 and CVE-2019-5687 – are considered medium-risk with scores of 5.6 and 5.2, respectively. Scoring is based on the Common Vulnerability Scoring System (CVSS) V3 standard.
Nvidia has patched five vulnerabilities impacting GeForce, Quadro, NVS and Tesla GPU display drivers affecting versions of Windows from 7 through 10. If left unpatched, the flaws could lead to denial of service, escalation pf privileges and local code execution.
Two of the flaws were discovered by Piotr Bania of Cisco Talos. Bania previously discovered multiple vulnerabilities in areas of Nvidia drivers responsible for pixel shaders. As Bleeping Computer highlights, none of the vulnerabilities can be exploited remotely and thus require a bad actor to have physical access to a system.
| Software Product | Operating System | Affected Versions | Updated Version |
|---|---|---|---|
| GeForce | Windows | All R430 versions prior to 431.60 | 431.60 |
| Quadro, NVS | Windows | All R430 versions prior to 431.70 | 431.70 |
| All R418 Versions prior to 426.00 |
426.00 |
||
| All R400 versions | Available the week of August 19, 2019 | ||
| All R390 versions prior to 392.56 | 392.56 | ||
| Tesla | Windows | All R418 versions | Available the week of August 12, 2019 |
While it’s not common for attackers to go after systems through Nvidia’s drivers, it can happen as Google Project Zero researchers highlighted in 2017. “Modern graphic drivers are complicated and provide a large promising attack surface for EoPs and sandbox escapes from processes that have access to the GPU (e.g. the Chrome GPU process),” said researcher Oliver Chang.
Nvidia recommends downloading and installing the latest software update through the Nvidia driver downloads page ASAP.
Masthead credit: Nvidia chip by Hairem
