NVIDIA’s first security update of 2021 releases fixes for 11 high-severity vulnerabilities in its GPU and vGPU display drivers, that could possibly lead to DoS attacks. The bugs affect Windows, Linux, Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, and Nutanix AHV.
After what has been a highly unpredictable and strenuous year for cybersecurity professionals, NVIDIA is out with its first security update for 2021Opens a new window . The gaming heavyweight has released updates for six vulnerabilities in the display drivers of its graphics processing units (GPUs) for Windows and Linux operating systems. In all, the tech titan released patches for 16 vulnerabilities, out of which 11 are high-security bugs that could potentially lead to denial of service (DoS) and privilege escalation attacks, thereby reducing the risk of information leaks and data tampering in affected systems.
NVIDIA GPU Bugs
The six vulnerabilities reside in the software component — the GPU driver, which is popular among gamers for high-end image processing, manipulation optimized for gaming. Among them are two vulnerabilities in the kernel mode layer handler of the NVIDIA GPU video adapter that may give attackers escalated privileges in the system.
Access to the Kernel mode is highly risky as any code run within it gives the user full, unrestricted access to the hardware to effectively cause DoS attacks and steal system data. The vulnerabilities — tracked CVE-2021-1051Opens a new window and CVE-2021-1052Opens a new window are assigned a high severity score of 8.4 and 7.8, respectively, on the CVSS index.
The remaining six, i.e., CVE-2021-1053, CVE-2021-1054, CVE-2021-1055, and CVE-2021-1056, also reside in the kernel mode layer and pose medium-level DoS threats and information leak risks.
The details of the updates are as follows:Â Â
NVIDIA GPU Vulnerability Updates
See Also: Microsoft January Patch Tuesday Fixes 10 Critical Bugs, Including a Zero Day Flaw
NVIDIA vGPU Bugs
NVIDIA’s update last week also included fixes for 10 vulnerabilities discovered in the NVIDIA Virtual GPU (vGPU) software used in virtual workstations, servers, etc., besides personal computers.
With a CVSS score of 7.8, nine of these 10 vGPU vulnerabilities are also highly severe. In its advisory, NVIDIA said that their risk assessment is “based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation.â€
For now, the GPU maker advised users to seek an IT or security professional’s help to evaluate the risk to their specific configuration. Users can also follow steps outlined by NVIDIAOpens a new window to determine the version of the display driver installed on their system.
CVE-2021-1057 allows unauthorized guests to allocate computing resources, leading to integrity and confidentiality loss, denial of service, or information disclosure.
A complete list of vGPU vulnerabilities with their corresponding CVSS scores and risks is given below:
| Vulnerability | How it Works | Vulnerability Risk | CVSS Score |
| CVE‑2021‑1057 | Resource allocation by unauthorized guest | Integrity and confidentiality loss, denial of service, or information disclosure. | 7.8 |
| CVE‑2021‑1058 | Input data size is not validated | Tampering of data or denial of service | 7.8 |
| CVE‑2021‑1059 | Input index is not validated | Tampering of data, information disclosure, or denial of service | 7.8 |
| CVE‑2021‑1060 | Input index is not validated | Tampering of data, information disclosure, or denial of service | 7.8 |
| CVE‑2021‑1061 | Race condition may cause the vGPU plugin to continue using a previously validated and unchanged resource | Denial of service or information disclosure | 7.8 |
| CVE‑2021‑1062 | Input data length is not validated | Tampering of data or denial of service | 7.8 |
| CVE‑2021‑1063 | Input offset is not validated | Tampering of data, information disclosure, or denial of service | 7.8 |
| CVE‑2021‑1064 | Value from an untrusted source is converted to a pointer, and is dereferenced by the vulnerable vGPU | Information disclosure or denial of service | 7.8 |
| CVE‑2021‑1065 | Input data is not validated | Information disclosure or denial of service | 7.8 |
| CVE‑2021‑1066 | Input data is not validated | Denial of Service | 5.5 |
Â
NVIDIA’s Updates:
vGPU Updates by NVIDIA
Besides gaming, NVIDIA GPUs are also used for mining cryptocurrency, thus increasing the scope of the vulnerabilities.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!