NVIDIA has released security updates to address six security vulnerabilities found in Windows and Linux GPU display drivers, as well as ten additional flaws affecting the NVIDIA Virtual GPU (vGPU) management software.
The vulnerabilities expose Windows and Linux machines to attacks leading to denial of service, escalation of privileges, data tampering, or information disclosure.
All these security bugs require local user access, which means that potential attackers will first have to gain access to vulnerable devices using an additional attack vector.
Eleven high severity vulnerabilities patched
Following successful exploitation of one of the vulnerabilities patched today, attackers can easily escalate privileges to gain permissions above the default ones granted by the OS.
They can also be exploited to render machines running vulnerable drivers or software temporarily unusable by triggering denial-of-service states or to gain access to otherwise unobtainable information.
NVIDIA has addressed the security issues in all affected software products and platforms with the exception of those tracked as CVE‑2021‑1052, CVE‑2021‑1053, and CVE‑2021‑1056 impacting the Linux GPU Display Driver for Tesla GPUs which will receive an update driver version starting with January 18, 2021.
The bugs come with CVSS V3 base scores ranging from 5.3 to 8.4, with11 of them having received a high-risk assessment from NVIDIA.
NVIDIA’s security bulletin says that the “risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation.”
The company also advises consulting an IT or security professional to correctly evaluate the risk these vulnerabilities pose to your specific system configuration.
The full list of security flaws addressed by NVIDIA this month is available in the January 2021 Security Bulletin.
Some driver versions available via hardware vendors
NVIDIA recommends customers to update their GeForce, NVIDIA RTX, Quadro, NVS, and Tesla GPU display drivers, as well as Virtual GPU Manager and guest driver software using the security updates available on the NVIDIA Driver Downloads page.
The company also says that some customers who will not patch the flaws manually may also receive security updates bundled with Windows GPU display driver 460.84, 457.49, and 452.66 versions from their computer hardware vendors.
Enterprise NVIDIA vGPU software users have to log into NVIDIA’s Enterprise Application Hub to get the updates through the NVIDIA Licensing Center.
To find which NVIDIA driver version you have installed on your computer, you can follow the steps detailed here.