NVIDIA Patches Vulnerability in its Drivers, To Roll Out More

Graphics chipmaker NVIDIA Corporation recently deployed security updates for its drivers and virtual GPU Manager (VGPU) to fix high-severity issues, said Hot for Security, a media outlet powered by cybersecurity company Bitdefender. It is also scheduled to release security patches for Windows in the second week of March.

The vulnerability, with the code CVE-2020-5957, was given a severity rating of 8.4. An advisory by the chipmaker failed to give in-depth details about the issue but shed some light on the basics of it. NVIDIA said that the “Windows GPU Display Driver contains a vulnerability in the NVIDIA Control Panel component.” It also noted that attackers “with local system access can corrupt a system file.”

The company also released some info about another security flaw dubbed CVE-2020-5959, with a severity score of 7.8. While vague, the announcement did say that it is connected with the VGPU plugin. Specifically, it was caused by the incorrect validation of an input index value.

NVIDIA Patches Vulnerability in its Drivers

According to Hot for Security, the addressed vulnerabilities risked systems by possibly denying services, escalation of privileges to allow unauthorized access and disclosure of private information. The report also noted that graphics-related issues “are not easy to exploit,” but creates an opening for malicious parties.

The Bitdefender media outlet noted that all GeForce R440 versions released before 442.50 are affected. Moreover, some Quadro and NVS versions were also at risk. For Tesla, the vulnerabilities were found present in R418 and R440 versions.

For Tesla software in Windows operating systems, all R440 versions will receive patches in the week of March 9, 2020.

Other vulnerabilities

Aside from the two high-severity issues, the company also released fixes more minor ones. This includes CVE-2020-5958 with a score of 6.7, 5960 which scored 6.5 and 5961 which scored 5.5.

As those with higher scores, the info released about these bugs were ambiguous. The chipmaker did say that 5958 allows the injection of malicious DLL files, while 5960 contained a bug in the kernel module. CVE-2020-5961 patches dealt with a guest OS that can lead to incorrect resource clean up.

Meanwhile, the NVIDIA announcement said that its risk assessment is based on a variety of tests done on a set of installed systems. However, the company recommends that users consult security professionals to check for potential risks for individual system configuration.

More patches are expected to come in April.