NVIDIA released a security update for its drivers, fixing several issues that could lead to denial of service, escalation of privileges, or information disclosure. The update covers multiple vulnerabilities affecting both the display driver and the Virtual GPU Manager (VGPU).
All software and hardware have the potential to host vulnerabilities. NVIDIA’s GPUs are no exception, although they do not have to fix all that often. Issues with GPUs are not easy to exploit, but when vulnerabilities do present themselves, they need to be patched because they can open the way for attackers.
The biggest issue underlined by NVIDIA has a base severity score of 8.4 (CVE‑2020‑5957), which is considered high. While details about the security issue were not provided, the company did explain, briefly, the potential effects.
“NVIDIA Windows GPU Display Driver contains a vulnerability in the NVIDIA Control Panel component in which an attacker with local system access can corrupt a system file, which may lead to denial of service or escalation of privileges,” says the advisory.
The other high-severity vulnerability, CVE‑2020‑5959, is just as cryptic: “NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin, in which an input index value is incorrectly validated, which may lead to denial of service.”
The security vulnerabilities affect all GeForce R440 versions prior to 442.50, a selection of Quadro and NVS versions as well, and all Tesla versions, including R418 and R440.
Depending on the affected version, some fixes are set to arrive as soon as March 9th, 2020, with others landing a month later, in April. As usual, users are advised to upgrade their drivers as soon the security patches arrive with the latest NVIDIA drivers.