NVIDIA修补了GPU显示驱动程序中的安全问题

NVIDIA发布了NVIDIA GPU显示驱动程序软件的安全更新修补可能导致代码执行,权限升级,拒绝服务或Windows和Linux计算机上的信息泄露等安全问题。

虽然所有这些软件缺陷都需要本地用户访问并且无法远程利用,但攻击者可以通过在运行易受攻击的NVIDIA GPU显示驱动程序的系统上通过各种方式远程植入恶意工具来利用它们。

这些问题与CVSSv3的基本分数从2.2到8.8不等有关,其中5个问题风险评估值已达到8.8(所有这些问题都会影响NVIDIA公司的Windows GPU显示驱动程序)。

通过触发导致拒绝服务状态的CVE,潜在的攻击者可以使易受攻击的计算机无法使用,同时利用未修补的代码执行漏洞,他们可以在受感染的计算机上运行命令或代码。

潜在攻击者还可以通过利用导致信息泄露的问题,收集有关运行过时版NVIDIA GPU显示驱动程序的系统的有价值信息。

下面列出了NVIDIA在其2019年2月安全更新中修复的软件缺陷,以及为每个安全更新分配的完整描述和CVSS V3基本分数。

CVE Description CVSS V3 Base Score
CVE‑2019‑5665 NVIDIA Windows GPU Display driver contains a vulnerability in the 3D vision component in which the stereo service software, when opening a file, does not check for hard links. This behavior may lead to code execution, denial of service or escalation of privileges. 8.8
CVE‑2019‑5666 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) create context command DDI DxgkDdiCreateContext in which the product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array, which may lead to denial of service or escalation of privileges. 8.8
CVE‑2019‑5667 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSetRootPageTable in which the application dereferences a pointer that it expects to be valid, but is NULL, which may lead to code execution, denial of service or escalation of privileges. 8.8
CVE‑2019‑5668 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSubmitCommandVirtual in which the application dereferences a pointer that it expects to be valid, but is NULL, which may lead to denial of service or escalation of privileges. 8.8
CVE‑2019‑5669 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer handler for DxgkDdiEscape in which the software uses a sequential operation to read from or write to a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer, which may lead to denial of service or escalation of privileges. 8.8
CVE‑2019‑5670 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer handler for DxgkDdiEscape in which the software uses a sequential operation to read from or write to a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer which may lead to denial of service, escalation of privileges, code execution or information disclosure. 7.8
CVE‑2019‑5671 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape in which the software does not release a resource after its effective lifetime has ended, which may lead to denial of service. 6.5
CVE‑2018‑6260 NVIDIA graphics driver contains a vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. Local user access is required. This vulnerability is not a network or remote attack vector. 2.2

 

据NVIDIA称:

NVIDIA风险评估基于各种已安装系统的平均风险,可能并不代表您本地安装的真正风险。NVIDIA建议咨询安全或IT专业人员,以评估特定配置的风险。

在  NVIDIA GPU的显示驱动程序- 2019年2月安全公告中还有关于NVIDIA在其2019年2月安全更新补丁的安全问题的软件产品的完整列表。

建议所有用户通过应用NVIDIA驱动程序下载页面上提供的安全更新尽快更新其驱动程序。

 

原文链接