PSA: Nvidia Warns People To Update GPU Drivers Because of Security Problems

Krenum

Fully [H]
Joined
Apr 29, 2005
Messages
19,192
https://www.techradar.com/news/nvid...ers-right-now-due-to-severe-security-problems

Nvidia has revealed several worrying security issues in its graphics card drivers, and is strongly recommending anyone with one of its GPUs to update its drivers as soon as possible.
As ThreatPost reports, there are five driver security bugs that all score highly in the CVSS vulnerability scale".


The most dangerous of the security bugs that Nvidia has acknowledged appears to be CVE-2021-1074, which is 7.5 out of 10 on the CVSS scale. This bug was found in the Nvidia driver’s installer, and could allow an attacker with physical access to swap out an application resource with malicious files. This could lead to malicious code being run, a denial of service attack, or personal information being stolen.

Meanwhile, CVE-2021-1075 is another high severity bug (scoring 7.3 on the CVSS scale), and resides in the nvlddmkm.sys handler for DxgkDdiEscape. As ThreatPost explains, “the program dereferences a pointer that contains a location for memory that is no longer valid, which may lead to code execution, denial of service, or escalation of privileges.”


Furthermore,

CVE-2021-1076 is a medium-severity bug found in the Nvidia GPU Display Driver for Windows and Linux’s kernel mode layer, where malicious users can exploit improper access control to launch denial of service, information theft or data corruption attacks.


CVE-2021-1077 is a medium-level risk in the Windows and Linux drivers, where the driver “uses a reference count to manage a resource that is incorrectly updated, which may lead to denial of service.”


There is also another medium-severity bug, CVE-2021-1078, which was found in all versions of the Windows Nvidia Driver, and again affected the kernel – this time a NULL pointer deference could lead to the PC crashing.

If that’s not bad enough, Nvidia also revealed eight software vulnerabilities in its vGPU software – and these affect workstations and artificial intelligence workloads, and are all medium to high levels of severity.
 
What would have been helpful was the affected driver versions... had to click 2 websites past the article to find it.

For Geforce/RTX, 466.11 or higher is patched against the bugs. There are also patched versions for older driver branches, the list is here: https://nvidia.custhelp.com/app/answers/detail/a_id/5172

Article was a bit sensationalist, the most severe vulnerability requires physical access. That would be of concern to businesses dealing with an insider threat. Not so much any of us on out home pc's.
 
"could allow an attacker with physical access..."

Wait, you mean a person who has broken in to your house and has an access to your PC? FFS, Not again with this shit. If someone has a physical access to your rig you have more problems than vulnerability in a driver.

Alternatively I could see this being a problem with modded 3rd party drivers but that is a gamble anyway.
 
I know it's NVIDIA so yeah but a notice about a security bug that requires physical access.....

"Please be advised that if you're house is burning down there is a small chance that your toaster will malfunction."
 
"could allow an attacker with physical access..."

Wait, you mean a person who has broken in to your house and has an access to your PC? FFS, Not again with this shit. If someone has a physical access to your rig you have more problems than vulnerability in a driver.

Alternatively I could see this being a problem with modded 3rd party drivers but that is a gamble anyway.
Yeah this.
 
Very helpful in their push to get people to update drivers so they can further restrict mining!
 
CVE-2021-1075 and CVE-2021-1078 may explain the odd issues I've been having recently. It's bad when you let a memory leak or bad memory pointer slip by and ship in the drivers.
 
Wait, you mean a person who has broken in to your house and has an access to your PC?
"Requires physical access to your computer" can sometimes also mean "I think I'll plug in this flash drive I found on the street this morning. "
 
1620057138950.png

1620057714731.png

1620058272458.png
 
"Requires physical access to your computer" can sometimes also mean "I think I'll plug in this flash drive I found on the street this morning. "

That is plausible. Especially during the time when people are looking for lost USB sticks with bitcoins in them.
 
That is plausible. Especially during the time when people are looking for lost USB sticks with bitcoins in them.
Studies have been done showing that people who see one lying around tend to take it home (or to work) and plug it in to see what's on it, and these days it's pretty easy to create a malicious fake thumb drive.
 
Back
Top