IBM Support

Security Bulletin: Windows Privilege Impersonation Check affects NVIDIA Windows Device Driver for use on NVIDIA PCIe cards installed in System x servers (CVE-2015-1170)

Created by Sheila Hegeman on
Published URL:
https://www.ibm.com/support/pages/node/866758
866758

Security Bulletin


Summary

The NVIDIA Windows Server 2008 and 2008 R2 Display Driver's kernel administrator check improperly validates local client impersonation levels in some cases when using the NVIDIA Windows Device Driver for use on NVIDIA PCIe cards installed in System x Servers. NVIDIA's PCIe cards are functioning within specification; this is a software implementation issue.

Vulnerability Details

Summary

The NVIDIA Windows Server 2008 and 2008 R2 Display Driver's kernel administrator check improperly validates local client impersonation levels in some cases when using the NVIDIA Windows Device Driver for use on NVIDIA PCIe cards installed in System x Servers. NVIDIA's PCIe cards are functioning within specification; this is a software implementation issue.

Vulnerability Details:

CVE-ID: CVE-2015-1170

Description: The NVIDIA Display Driver, as used by multiple products, could allow a local attacker to gain elevated privileges, caused by the failure to properly validate local client impersonation levels. An attacker could exploit this vulnerability using unspecified API calls to gain administrative privileges on the system.

CVSS Base Score: 7.2
CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/101911 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)

The attacker must already have local access on the machine. Under certain conditions, a local user on the system can use improper impersonation behaviors of NVIDIA driver APIs to access resources that are intended for local administrator access only. Under these conditions, this behavior may lead to privilege escalation of the local user account, leading to a system compromise.

Affected products and versions

The following NVIDIA Server 2008 and 2008 R2 Windows Display Driver versions are affected:

  • R304 -> prior to 309.08
  • R340 -> prior to 341.44
  • R343 -> prior to 345.20
  • R346 -> prior to 347.52

In addition, the following NVIDIA products are affected:

NVIDIA Tesla M2xxx, K10, K20, K40, K80 series GPUs NVIDIA Quadro 6xx, 1xxx, 2xxx, 3xxx, 4xxx, 5xxx, 6xxx, K6xx, K2xxx, K4xxx, K5xxx, K6xxx series GPUs NVIDIA Grid GPUs

The following System x servers that have one or more of the NVIDIA products installed:

  • BladeCenter HS22/HS22V with BladeCenter GPU Expansion Device
  • BladeCenter HS23/HS23E with BladeCneter GPU Expansion Device
  • Flex System x220 Compute node with PCIExpress Expansion Node
  • Flex System x240 Compute node with PCIExpress Expansion Node
  • System x iDataPlex dx360 M2
  • System x iDataPlex dx360 M3
  • System x iDataPlex dx360 M4
  • System x NeXtScale nx360 M4
  • System x NeXtScale nx360 M5
  • System x3100 M4
  • System x3200 M3
  • System x3250 M3
  • System x3250 M4
  • System x3300 M4
  • System x3400 M2
  • System x3400 M3
  • System x3500 M2
  • System x3500 M3
  • System x3500 M4
  • System x3500 M5
  • System x3520 M4
  • System x3530 M4
  • System x3550 M2
  • System x3550 M3
  • System x3550 M4
  • System x3620 M3
  • System x3630 M3
  • System x3630 M4
  • System x3650 M2
  • System x3650 M3
  • System x3650 M4
  • System x3650 M5
  • System x3690 X5
  • System x3750 M2
  • System x3750 M3
  • System x3750 M4
  • System x3850 X5
  • System x3850 X6
  • System x3950 X6

Remediation/Fixes:

It is recommended to apply the following fix for the version specified:

  • R304 -> Version 309.08 or later
  • R340 -> Version 341.44 or later
  • R343 -> Version 345.20 or later
  • R346 -> Version 347.52 or later

Instructions on how to download and apply these updates are available at:

http://www.nvidia.com/Download/index.aspx?lang=en-us

Refer to NVIDIA Answer ID 3634 for patch and upgrade information:

http://nvidia.custhelp.com/app/answers/detail/a_id/3634

Workarounds and Mitigations:

As the exploit requires local access and a user/process running as administrator to allow impersonation, safe computing practices can help mitigate your general risk.

As always, observe safe computing practices by:

  • Only downloading or executing content and programs from trusted third parties.
  • Run your system and programs with the least privilege necessary. Users should run without administrator rights whenever possible.
  • When running as administrator, do not elevate UAC privileges for activities or programs that don't need them.

Reference:

Related Information:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

This bug was reported to NVIDIA by James Forshaw, Project Zero, Google.

Change History
30 April 2015: Original Copy Published

* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Securiy Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Get Notified about Future Security Bulletins

References

On

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

Operating System

BladeCenter:Operating system independent / None

System x:Operating system independent / None

PureFlex System and Flex System:Operating system independent / None

Lenovo x86 servers:Operating system independent / None

[{"Type":"HW","Business Unit":{"code":"BU056","label":"Miscellaneous"},"Product":{"code":"HW21Q","label":"BladeCenter HS22"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HW232","label":"BladeCenter->BladeCenter HS22V"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HW239","label":"BladeCenter->BladeCenter HS23"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HW23F","label":"BladeCenter->BladeCenter HS23E"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HW317","label":"System x->System x3500"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HW319","label":"System x->System x3650"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HW31U","label":"System x->System x iDataPlex dx360 M2 server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HW341","label":"System x->System x3250 M4"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"HW94B","label":"PureFlex System and Flex System->x220 Compute Node"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"HW94D","label":"PureFlex System and Flex System - x240 Compute Node"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX10","label":"System x->System x3400 M2"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX20","label":"System x->System x3500 M2"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX30","label":"System x->System x3550 M2"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX40","label":"System x->System x3650 M2"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX50","label":"System x->System x3200 M3"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX60","label":"System x->System x3250 M3"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX70","label":"System x->System x3400 M3"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX80","label":"System x->System x3500 M3"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX81","label":"System x->System x3500 M4"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX90","label":"System x->System x3550 M3"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWX91","label":"System x->System x3550 M4"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXA0","label":"System x->System x3650 M3"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXA3","label":"System x->System x3650 M4"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXA7","label":"System x->NeXtScale nx360 M4"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXB0","label":"System x->System x3690 X5"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXB1","label":"System x->System x3950 X6"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXB4","label":"Lenovo x86 servers->Lenovo System x3650 M5"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXBA","label":"Lenovo x86 servers->Lenovo NeXtScale nx360 M5"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXC0","label":"System x->System x3850 X5"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXF0","label":"System x->System x iDataPlex dx360 M3 server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXF6","label":"System x->System x iDataPlex dx360 M4 server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXG0","label":"System x->System x3620 M3"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXG4","label":"System x->System x3300 M4"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXG6","label":"System x->System x3750 M4"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXH0","label":"System x->System x3630 M3"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXH1","label":"System x->System x3630 M4"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXK0","label":"System x->System x3100 M4"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}},{"Type":"HW","Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HWXM0","label":"System x->System x3850 X6"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
18 April 2023

UID

ibm1MIGR-5097841