NVIDIA has released security patches for high severity flaws that were found in their Windows and Linux GPU display drivers along with others that affect the NVIDIA Virtual GPU management software. The vulnerabilities exposed Windows and Linux machines to attacks from threat actors that could lead to denial of service, escalation of privileges, data tampering, and information disclosure. Every one of the bugs that the company outlined required local user access, which means that before any of them could be exploited an attacker would first have to gain access to vulnerable devices through another attack vector. The bugs were ranked from 5.3 to 8.4 on the severity scale, with 11 of them being ranked as high severity. At the time of writing, all of the security issues have been addressed except those tracked as CVE‑2021‑1052, CVE‑2021‑1053, and CVE‑2021‑1056, which are expected to have patches released later today (January 8th, 2020).
Analyst Notes
NVIDIA stated that the “risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation.” The company also advised in their report that companies should review the vulnerabilities internally or through a third-party to evaluate the risk posed to a specific organization. Any company that uses the affected versions of the product should ensure that they install patches as soon as they can. Often times, threat actors will continue to use old vulnerabilities that have patches released to target companies that are negligent in patching.
The security Bulletin from NVIDIA with the full list of vulnerabilities can be found here: https://nvidia.custhelp.com/app/answers/detail/a_id/5142/kw/Security%20Bulletin
More on the topic can be read here: https://www.bleepingcomputer.com/news/security/nvidia-fixes-high-severity-flaws-affecting-windows-linux-devices/
