- Joined
- Mar 3, 2018
- Messages
- 1,713
Nvidia released the 419.17 drivers a few days ago, and as we noted, they featured a number of new SLI profiles, GPU video encoding improvements, and the usual round of bug fixes and enhancements. But yesterday, BleepingComputer found that the new drivers also came with fixes to a number of security vulnerabilities, with CVVS V3 scores ranging from 8.8 (High/Serious) to 2.2 (Low). Nvidia claims that all of the most serious vulnerabilities should be fixed by simply installing the 419.17 drivers, and at least some of them were already patched in older Quadro and Tesla driver releases, but one vulnerability in particular requires manual intervention. CVE‑2018‑6260, which appears to be related to the performance counter exploit researchers published last November, requires manual user intervention to patch. The 419.17 release notes describe the fix, which I've quoted below.
The NVIDIA graphics driver contains a vulnerability (CVE-2018-6260) that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. GPU performance counters are needed by developers in order to use NVIDIA developer tools such as CUPTI, Nsight Graphics, and Nsight Compute. In order to address CVE-2018-6260 the driver needs to be updated and additional steps listed below are needed to disable access to non-admin users. For more information about CVE-2018-6260 visit the NVIDIA Security Bulletin 4772. Access to GPU performance counters should be disabled for non-admin users who do not need to use NVIDIA developer tools. Restricting access to GPU performance counters can be accomplished through the NVIDIA Control Panel->Developer->Manage GPU Performance Counters page (NV Control Panel v8.1.950). Refer to the Developer->Manage GPU Performance Counters section of the NVIDIA Control Panel Help for instructions.
Those release notes suggest the fix may not even be necessary for users who don't have the "developer settings" checkbox enabled, and the vulnerability page notes that it requires "local user access" to exploit anyway.
The NVIDIA graphics driver contains a vulnerability (CVE-2018-6260) that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. GPU performance counters are needed by developers in order to use NVIDIA developer tools such as CUPTI, Nsight Graphics, and Nsight Compute. In order to address CVE-2018-6260 the driver needs to be updated and additional steps listed below are needed to disable access to non-admin users. For more information about CVE-2018-6260 visit the NVIDIA Security Bulletin 4772. Access to GPU performance counters should be disabled for non-admin users who do not need to use NVIDIA developer tools. Restricting access to GPU performance counters can be accomplished through the NVIDIA Control Panel->Developer->Manage GPU Performance Counters page (NV Control Panel v8.1.950). Refer to the Developer->Manage GPU Performance Counters section of the NVIDIA Control Panel Help for instructions.
Those release notes suggest the fix may not even be necessary for users who don't have the "developer settings" checkbox enabled, and the vulnerability page notes that it requires "local user access" to exploit anyway.