NVIDIA has released security updates to address six security vulnerabilities found in Windows and Linux GPU screen drivers, as well as ten additional flaws affecting the NVIDIA Virtual GPU (vGPU) management software.

Released on Thursday, the technology giant said the patches deal with issues which”may lead to denial of support, escalation of privileges, data tampering, or information disclosure.”

The vulnerabilities expose Windows and Linux machines to strikes resulting in a denial of service, escalation of privileges, data tampering, or information disclosure.

In total, Nvidia has resolved 16 vulnerabilities linked to the Nvidia GPU screen driver used to support graphics processing units, too in vGPU applications for virtual workstations, servers, programs, and PCs.

All these security bugs require local user access, meaning potential attackers will first have to gain access to vulnerable devices utilizing an extra attack vector.

High severity vulnerabilities patched

Following successful manipulation of one of the vulnerabilities patched today, attackers can easily escalate privileges to gain permissions above the default ones given by the OS.

They may also be exploited to render machines running vulnerable drivers or software temporarily unusable by triggering denial-of-service countries or to get access to otherwise unobtainable information.

The most severe vulnerability dealt with in Nvidia’s newest security around is CVE‑2021‑1051. Issued a CVSS score of 8.4, the issue affects the kernel mode layer for the Windows GPU display driver. If exploited, this flaw can lead to denial of service or privilege escalation.

NVIDIA has addressed the safety issues in most affected software products and platforms except for these tracked as CVE‑2021‑1052, CVE‑2021‑1053, and CVE‑2021‑1056 impacting the Linux GPU Display Driver for Tesla GPUs that will receive an update driver version starting with January 18, 2021.

CVE‑2021‑1052 is the next highest-severity vulnerability in the driver, but this bug impacts both Windows and Linux. The security flaw, given a seriousness score of 7.8, is also found in the kernel mode layer and enables user-mode customers to access heritage, privileged APIs.

As a result, an exploit leveraging this vulnerability could result in denial of service, privileges escalation, and data leaks.

Nvidia has also resolved CVE‑2021‑1053, a display driver bug for Windows and Linux machines using a CVSS score of 6.6, suggesting this vulnerability is considered a moderate/important issue. Improper validation of an individual pointer targeted at precisely the identical kernel mode layer can lead to denial of service.

Two other issues impact Windows machines specifically, at the same kernel-mode coating, which are tracked as CVE‑2021‑1054 and CVE‑2021‑1055 with severity scores of 6.5 and 5.3, respectively.

These vulnerabilities involve failures to perform authorization checks and improper access controllers and are exploitable to cause a denial of service. CVE‑2021‑1055 may also lead to data leaks.

The last vulnerability impacts Linux PCs only. Tracked as CVE‑2021‑1056 and issued a CVSS score of 5.3, this bug has been due to operating system file system permissions errors, prompting information disclosure and denial of service.

Except for CVE‑2021‑1066, a moderate CVSS 5.5 input validation issue in vGPU manager resulting in resource overload and refusal of service, every vulnerability was issued a severity score of 7.8.

Nvidia has patched eight vGPU manager and plugin vulnerabilities ranging from input data validation errors to race conditions and untrusted source worth. These security flaws could result in information disclosure, ethics and confidentiality reduction, and data tampering.

Two input validation vulnerabilities, CVE‑2021‑1058, and CVE‑2021‑1060 impact the guest kernel-mode driver and vGPU plugin.

To remain protected, Nvidia has recommended that consumers accept automatic security updates, or download them directly.

Priyanshu Vijayvargiya

Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a Reply

Your email address will not be published. Required fields are marked *