NVIDIA has released security updates that correct flaws in the NVIDIA GPU Display Driver and NVIDIA VGPU Software.
An updated GPU display driver has been released with a fix for two vulnerabilities, both of which reside in the NVIDIA Control Panel. One of the flaws is rated high severity flaw and could lead to local escalation of privileges and a denial of service condition on a vulnerable Windows device by corrupting a system file. The flaw, CVE-2020-5957, has been assigned a CVSS v3 base score of 8.4 out of 10.
The second flaw, tracked as CVE-2020-5958, is a medium severity vulnerability (CVSS v3 base score 6.7)that could lead to denial of service, information disclosure, and execution of arbitrary code. The flaw could be exploited by planting a malicious DLL file on vulnerable device.
In order to exploit the vulnerabilities, an attacker would require local system access which limits the potential for exploitation. However, the flaw could be exploited if an attacker remotely dropped malicious tools on a vulnerable system that was using the NDIVIA GPU display drivers.
The flaws have been corrected in GPU Display Driver version 442.50 for GeForce, Quadro, and NVS products running R440 versions, version 432.28 for Quadro and NVS running R430 versions, version 426.50 for Quadro and NVS running R418 versions, and version 392.59 for Quadro and NVS running R390 versions. Tesla products running R418 versions require the GPU Display Driver v426.50. For v440 versions, the patch will be released on March 9.
Three vulnerabilities have been identified in NVIDIA VGPU Software– CVE-2020-5959, CVE-2020-5960, and CVE-2020-5961 – with severity scores ranging from 5.5 to 7.8. The vulnerabilities could lead to a denial of service condition. Patches for version 9.0, 9.1, and 9.2 will be released on March 9, with patches for all other versions scheduled for April 2020.