Debian DLA-2888-1 : nvidia-graphics-drivers - LTS security update

high Nessus Plugin ID 156794

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2888 advisory.

- NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidia.ko) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure. (CVE-2021-1056)

- NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of service, information disclosure, or data corruption. (CVE-2021-1076)

- NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in firmware where the driver contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary, and may lead to denial of service or system crash. (CVE-2021-1093)

- NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where an out of bounds array access may lead to denial of service or information disclosure. (CVE-2021-1094)

- NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handlers for all control calls with embedded parameters where dereferencing an untrusted pointer may lead to denial of service. (CVE-2021-1095)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the nvidia-graphics-drivers packages.

For Debian 9 stretch, these problems have been fixed in version 390.144-1~deb9u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987216

http://www.nessus.org/u?f8601151

https://www.debian.org/lts/security/2022/dla-2888

https://security-tracker.debian.org/tracker/CVE-2021-1056

https://security-tracker.debian.org/tracker/CVE-2021-1076

https://security-tracker.debian.org/tracker/CVE-2021-1093

https://security-tracker.debian.org/tracker/CVE-2021-1094

https://security-tracker.debian.org/tracker/CVE-2021-1095

https://packages.debian.org/source/stretch/nvidia-graphics-drivers

Plugin Details

Severity: High

ID: 156794

File Name: debian_DLA-2888.nasl

Version: 1.2

Type: local

Agent: unix

Published: 1/18/2022

Updated: 1/18/2022

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

CVSS Score Source: CVE-2021-1076

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libcuda1, p-cpe:/a:debian:debian_linux:libcuda1-i386, p-cpe:/a:debian:debian_linux:libegl-nvidia0, p-cpe:/a:debian:debian_linux:libegl1-glvnd-nvidia, p-cpe:/a:debian:debian_linux:libegl1-nvidia, p-cpe:/a:debian:debian_linux:libgl1-glvnd-nvidia-glx, p-cpe:/a:debian:debian_linux:libgl1-nvidia-glvnd-glx, p-cpe:/a:debian:debian_linux:libgl1-nvidia-glx, p-cpe:/a:debian:debian_linux:libgles-nvidia1, p-cpe:/a:debian:debian_linux:libgles-nvidia2, p-cpe:/a:debian:debian_linux:libgles1-glvnd-nvidia, p-cpe:/a:debian:debian_linux:libgles1-nvidia, p-cpe:/a:debian:debian_linux:libgles2-glvnd-nvidia, p-cpe:/a:debian:debian_linux:libgles2-nvidia, p-cpe:/a:debian:debian_linux:libglvnd0-nvidia, p-cpe:/a:debian:debian_linux:libglx-nvidia0, p-cpe:/a:debian:debian_linux:libglx0-glvnd-nvidia, p-cpe:/a:debian:debian_linux:libnvcuvid1, p-cpe:/a:debian:debian_linux:libnvidia-cfg1, p-cpe:/a:debian:debian_linux:libnvidia-compiler, p-cpe:/a:debian:debian_linux:libnvidia-eglcore, p-cpe:/a:debian:debian_linux:libnvidia-encode1, p-cpe:/a:debian:debian_linux:libnvidia-fatbinaryloader, p-cpe:/a:debian:debian_linux:libnvidia-fbc1, p-cpe:/a:debian:debian_linux:libnvidia-glcore, p-cpe:/a:debian:debian_linux:libnvidia-ifr1, p-cpe:/a:debian:debian_linux:libnvidia-ml1, p-cpe:/a:debian:debian_linux:libnvidia-ptxjitcompiler1, p-cpe:/a:debian:debian_linux:libopengl0-glvnd-nvidia, p-cpe:/a:debian:debian_linux:nvidia-alternative, p-cpe:/a:debian:debian_linux:nvidia-cuda-mps, p-cpe:/a:debian:debian_linux:nvidia-detect, p-cpe:/a:debian:debian_linux:nvidia-driver, p-cpe:/a:debian:debian_linux:nvidia-driver-bin, p-cpe:/a:debian:debian_linux:nvidia-driver-libs, p-cpe:/a:debian:debian_linux:nvidia-driver-libs-i386, p-cpe:/a:debian:debian_linux:nvidia-driver-libs-nonglvnd, p-cpe:/a:debian:debian_linux:nvidia-driver-libs-nonglvnd-i386, p-cpe:/a:debian:debian_linux:nvidia-egl-common, p-cpe:/a:debian:debian_linux:nvidia-egl-icd, p-cpe:/a:debian:debian_linux:nvidia-kernel-dkms, p-cpe:/a:debian:debian_linux:nvidia-kernel-source, p-cpe:/a:debian:debian_linux:nvidia-kernel-support, p-cpe:/a:debian:debian_linux:nvidia-legacy-check, p-cpe:/a:debian:debian_linux:nvidia-libopencl1, p-cpe:/a:debian:debian_linux:nvidia-nonglvnd-vulkan-common, p-cpe:/a:debian:debian_linux:nvidia-nonglvnd-vulkan-icd, p-cpe:/a:debian:debian_linux:nvidia-opencl-common, p-cpe:/a:debian:debian_linux:nvidia-opencl-icd, p-cpe:/a:debian:debian_linux:nvidia-smi, p-cpe:/a:debian:debian_linux:nvidia-vdpau-driver, p-cpe:/a:debian:debian_linux:nvidia-vulkan-common, p-cpe:/a:debian:debian_linux:nvidia-vulkan-icd, p-cpe:/a:debian:debian_linux:xserver-xorg-video-nvidia, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 1/18/2022

Vulnerability Publication Date: 1/8/2021

Reference Information

CVE: CVE-2021-1056, CVE-2021-1076, CVE-2021-1093, CVE-2021-1094, CVE-2021-1095