NVIDIA Windows GPU Display Driver Multiple Vulnerabilities (February 2019)

high Nessus Plugin ID 122510

Synopsis

A display driver installed on the remote Windows host is affected by multiple vulnerabilities.

Description

The NVIDIA GPU display driver software on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities:

- A vulnerability in the 3D vision component in which the stereo service software, when opening a file, does not check for hard links. This behavior may lead to code execution, denial of service or escalation of privileges. (CVE-2019-5665)

- A vulnerability in the kernel mode layer (nvlddmkm.sys) create context command DDI DxgkDdiCreateContext in which the product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array, which may lead to denial of service or escalation of privileges. (CVE-2019-5666)

- A vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiSetRootPageTable in which the application dereferences a pointer that it expects to be valid, but is NULL, which may lead to code execution, denial of service or escalation of privileges. (CVE-2019-5667)

It is also affected by additional vulnerabilities including denial of service, privilege escalation, code execution, and information disclosure vulnerabilities. See the vendor advisory for details.

Solution

Upgrade the NVIDIA graphics driver in accordance with the vendor advisory.

See Also

https://nvidia.custhelp.com/app/answers/detail/a_id/4772

Plugin Details

Severity: High

ID: 122510

File Name: nvidia_win_2019_02.nasl

Version: 1.4

Type: local

Agent: windows

Family: Windows

Published: 3/1/2019

Updated: 4/5/2023

Configuration: Enable paranoid mode

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2019-5665

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:nvidia:gpu_driver

Required KB Items: WMI/DisplayDrivers/NVIDIA, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 2/28/2019

Vulnerability Publication Date: 11/13/2018

Reference Information

CVE: CVE-2018-6260, CVE-2019-5665, CVE-2019-5666, CVE-2019-5667, CVE-2019-5668, CVE-2019-5669, CVE-2019-5670, CVE-2019-5671

IAVA: 2019-A-0063-S