NVIDIA Patches Several High Risk Security Flaws In Windows And Linux GeForce Drivers, Update Now
For as long as developers have been writing software code, they've been inadvertently creating bugs. It's when those bugs can compromise the security of a PC that a bug goes from an annoyance to a potential real danger. Security issues with apps can be worked around in the interim, even if it means uninstalling it, but what about when the security vulnerability is in the driver for some critical piece of hardware; say a video adapter? When that happens, developers have to isolate the cause and act quickly to plug the holes, or else risk any PC with that hardware being open to attack. Such was the case for NVIDIA this week.
The GeForce, Quadro, and AI accelerator maker has issued a series of driver updates this week to prevent ten years of graphics hardware from being susceptible to attacks. This is a big deal is because like video drivers from all major vendors, NVIDIA's drivers run in kernel mode with additional unrestricted access in the name of better performance. That's true of the oldest hardware on the market up to and including the latest Ampere GPUs from the GeForce RTX 30 Series.
The downside to that, is that the drivers become an attack vector if they're not kept secure. Should an attacker successfully exploit any of the [now] patched vulnerabilities, they could run other software with elevated privileges and access data on a PC without the user's consent or even knowledge. NVIDIA updated multiple driver versions because these vulnerabilities exist in multiple branches of its driver software. For instance, cards that use Fermi GPUs, which includes certain versions of the low-end GeForce 710, aren't supported beyond the 390 driver branch. It's likely that there are a lot of those cards still in service today, so that driver branch had to be updated.
In additional to multiple update versions, the reported issues affect both Windows and Linux, and there are accompanying drivers for each. All GeForce, Tesla, and Quadro cards that use these driver branches are affected. This applies to everyone with NVIDIA hardware supported by any of these releases. NVIDIA has issued updates for four branches in total: 390, 420, 450, and 460.
As for the issues themselves, they're the sort of thing that will keep IT security engineers and driver developers awake at night. The kernel-mode layer (nvlddmkm.dll) has a vulnerability in which a callback function attached to the DXGKDDI_ESCAPE event could result in a denial of service (DoS) attack or privilege escalation. User-mode clients can share data that way for legitimate purposes, but they had access to legacy private APIs via that callback. Another vulnerability in the same module would incorrectly perform an authorization check when a user tries to access certain resources, leading to a different vector for another DoS attack.
There are six separate issues in total, but they all relate to this bridge between user space and kernel space and user-level functions being able to do things they should not. Without updating, data could be compromised or a machine could be brought down due to a denial of service. Worse, those calls were made by services in Windows, so they didn't even require the OS to ask permission, or prompt a user for their administrative password in the case of Linux. NVIDIA's security bulletin has more details.
In addition, NVIDIA's virtualized GPU plugin, vGPU, could allocate resources for a guest to which that guest was not authorized. That would potentially allow users in a virtualized environment to snoop on other vGPU users and see data they would not otherwise be allowed to view. There are additional fixes for validating vGPU inputs, which could lead to using resources allocations that have been changed since first logging in.
For all hardware on Windows, and for GeForce and Quadro users on Linux, NVIDIA has already posted driver updates. The company says additional drivers will come for Tesla hardware the week of January 18. Be sure to head over to NVIDIA's driver page to grab the latest release for your hardware.