IBM Support

Security Bulletin: Vulnerabilities affect NVIDIA GPU Display Drivers for Linux and Windows

Security Bulletin


Summary

NVIDIA has released an update to address the following vulnerabilities in GPU Display Drivers for Linux and Windows.

Vulnerability Details

CVEID: CVE-2018-6260
DESCRIPTION: NVIDIA graphics driver could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the GPU performance counters. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 2.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152869 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-5671
DESCRIPTION: NVIDIA GeForce Windows GPU Display driver is vulnerable to a denial of service, caused by a flaw in the handler for DxgkDdiEscape in kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)

CVEID: CVE-2019-5670
DESCRIPTION: NVIDIA GeForce Windows GPU Display driver could allow a local authenticated attacker to execute arbitrary code on the system, caused by a flaw in the handler for DxgkDdiEscape in kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code, cause a denial of service condition, gain elevated privileges or obtain sensitive information.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157947 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-5669
DESCRIPTION: NVIDIA GeForce Windows GPU Display driver is vulnerable to a denial of service, caused by a flaw in the handler for DxgkDdiEscape in kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition, or gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157946 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-5668
DESCRIPTION: NVIDIA GeForce Windows GPU Display driver is vulnerable to a denial of service, caused by a flaw in the handler for DxgkDdiSubmitCommandVirtual in kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition, or gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157945 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-5667
DESCRIPTION: NVIDIA GeForce Windows GPU Display driver could allow a local authenticated attacker to execute arbitrary code on the system, caused by a flaw in the handler for DxgkDdiSetRootPageTable in kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code, cause a denial of service condition or gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157944 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-5666
DESCRIPTION: NVIDIA GeForce Windows GPU Display driver is vulnerable to a denial of service, caused by improper calculating or using an array index in the kernel mode layer (nvlddmkm.sys). By sending a specially-crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition, or gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157943 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2019-5665
DESCRIPTION: NVIDIA GeForce Windows GPU Display driver could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper handling of hard links in the 3D vision component. By using a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code, cause a denial of service condition or gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/157942 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Product

Affected Version
NVIDIA Display Driver for Linux 367.27
NVIDIA Display Driver for Windows 2012 R2, 2012 and 2008 R2 368.86

Remediation/Fixes

Firmware fix versions are available on Fix Central:  http://www.ibm.com/support/fixcentral/

Product

Fixed Version

NVIDIA Display Driver for Linux
(NVIDIA-Linux-x86_64-410.104)

410.104
NVIDIA Display Driver for Windows 2012 R2, 2012 and 2008 R2
(412.29-tesla-desktop-winserver2008-2012r2-64bit-international)
 412.29

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Lenovo Product Security Advisories
Security Bulletin:  NVIDIA GPU Display Driver - February 2019

Change History

25 March 2019: Initial version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PRID 133441. 

Note, a 3rd NVIDIA Display driver fix for Windows Server 2016 is also posted to Fix Central along with these two fixes (for Linux and Windows 2008/2012), but there is not an IBM predecessor fix for this version, noting that the Windows server 2016 fix post-dates the 2014 divestiture,  so that's why it is not included within this Security Bulletin. 

[{"Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"HW19X","label":"System x-\u003EMicrosoft Datacenter"},"Component":"NVIDIA Device Driver","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU050","label":"BU NOT IDENTIFIED"},"Product":{"code":"SSWLYD","label":"PureFlex System \u0026 Flex System"},"Component":"NVIDIA Device Driver","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU016","label":"Multiple Vendor Support"},"Product":{"code":"SGUQZ9","label":"System x Blades"},"Component":"NVIDIA Device Driver","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
02 April 2019

UID

ibm10876860

Page Feedback