Latest Nvidia Drivers Patch Security Vulnerabilities

Discussion in 'HardForum Tech News' started by AlphaAtlas, Feb 26, 2019.

  1. AlphaAtlas

    AlphaAtlas [H]ard|Gawd Staff Member

    Messages:
    1,713
    Joined:
    Mar 3, 2018
    Nvidia released the 419.17 drivers a few days ago, and as we noted, they featured a number of new SLI profiles, GPU video encoding improvements, and the usual round of bug fixes and enhancements. But yesterday, BleepingComputer found that the new drivers also came with fixes to a number of security vulnerabilities, with CVVS V3 scores ranging from 8.8 (High/Serious) to 2.2 (Low). Nvidia claims that all of the most serious vulnerabilities should be fixed by simply installing the 419.17 drivers, and at least some of them were already patched in older Quadro and Tesla driver releases, but one vulnerability in particular requires manual intervention. CVE‑2018‑6260, which appears to be related to the performance counter exploit researchers published last November, requires manual user intervention to patch. The 419.17 release notes describe the fix, which I've quoted below.

    The NVIDIA graphics driver contains a vulnerability (CVE-2018-6260) that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters. GPU performance counters are needed by developers in order to use NVIDIA developer tools such as CUPTI, Nsight Graphics, and Nsight Compute. In order to address CVE-2018-6260 the driver needs to be updated and additional steps listed below are needed to disable access to non-admin users. For more information about CVE-2018-6260 visit the NVIDIA Security Bulletin 4772. Access to GPU performance counters should be disabled for non-admin users who do not need to use NVIDIA developer tools. Restricting access to GPU performance counters can be accomplished through the NVIDIA Control Panel->Developer->Manage GPU Performance Counters page (NV Control Panel v8.1.950). Refer to the Developer->Manage GPU Performance Counters section of the NVIDIA Control Panel Help for instructions.

    Those release notes suggest the fix may not even be necessary for users who don't have the "developer settings" checkbox enabled, and the vulnerability page notes that it requires "local user access" to exploit anyway.
     
  2. Sikkyu

    Sikkyu I Question Reality

    Messages:
    2,882
    Joined:
    Jan 21, 2010
    well, the nvidia drivers are already data mining your computer so it doesn't seem like a big deal.
     
  3. IcePickFreak

    IcePickFreak [H]ard|Gawd

    Messages:
    1,075
    Joined:
    Dec 1, 2010
    I hear Jensen covers himself in Vicks vapor rub and only wears his leather jacket while he watches secret video feeds of Nvidia users and kisses each of us goodnight every night.
     
    DrezKill, {NG}Fidel and Sikkyu like this.
  4. Grimlaking

    Grimlaking 2[H]4U

    Messages:
    2,673
    Joined:
    May 9, 2006
    You mean that 500 megabyte driver set does things OTHER THAN VIDEO DRIVERS?! OH LORD SAY IT AINT SO!!

    Sorry... I just chuckle every time I get a video driver update from them for my consumer card.

    To the pro users out there.. Quadro and such. How large are your video driver sets?
     
  5. TheOne&OnlyZeke

    TheOne&OnlyZeke 100% Irish

    Messages:
    10,187
    Joined:
    Jul 21, 2000
    Latest driver seems to have fucked my Anthem game.
    It won't launch since the driver update
    Have to downgrade
     
  6. katanaD

    katanaD [H]ard|Gawd

    Messages:
    1,987
    Joined:
    Nov 15, 2016

    thatsmyfetish.gif
     
  7. IcePickFreak

    IcePickFreak [H]ard|Gawd

    Messages:
    1,075
    Joined:
    Dec 1, 2010
    IME they're around 200-300MB.
     
    GoldenTiger likes this.
  8. Axiomatic

    Axiomatic Limp Gawd

    Messages:
    451
    Joined:
    Jun 10, 2004
    I had a lot of problems landing this driver. Had to do a clean install to set it straight.
     
  9. polonyc2

    polonyc2 [H]ardForum Junkie

    Messages:
    16,156
    Joined:
    Oct 25, 2004
    I don't even have that 'Enable Developer Settings' option listed in Nvidia Control Panel