In brief: Three of the vulnerabilities – CVE-2019-5683, CVE-2019-5684 and CVE-2019-5685 – have been classified as high-risk with scores of 8.8, 7.8 and 7.8, respectively, while the other two vulnerabilities – CVE-2019-5686 and CVE-2019-5687 – are considered medium-risk with scores of 5.6 and 5.2, respectively. Scoring is based on the Common Vulnerability Scoring System (CVSS) V3 standard.
Nvidia has patched five vulnerabilities impacting GeForce, Quadro, NVS and Tesla GPU display drivers affecting versions of Windows from 7 through 10. If left unpatched, the flaws could lead to denial of service, escalation pf privileges and local code execution.
Two of the flaws were discovered by Piotr Bania of Cisco Talos. Bania previously discovered multiple vulnerabilities in areas of Nvidia drivers responsible for pixel shaders.
As Bleeping Computer highlights, none of the vulnerabilities can be exploited remotely and thus require a bad actor to have physical access to a system.
While it’s not common for attackers to go after systems through Nvidia’s drivers, it can happen as Google Project Zero researchers highlighted in 2017. “Modern graphic drivers are complicated and provide a large promising attack surface for EoPs and sandbox escapes from processes that have access to the GPU (e.g. the Chrome GPU process),” said researcher Oliver Chang.
Nvidia recommends downloading and installing the latest software update through the Nvidia driver downloads page ASAP.
Masthead credit: Nvidia chip by Hairem