Justin Sullivan/Getty Images
show image

Nvidia urges Windows customers to issue patches

The chipmaker Nvidia is calling on Windows customers to install patches for a range of recently discovered vulnerabilities.

The US silicon giant warned in a security advisory that the five vulnerabilities could pave the way for local execution, denial of service and escalation of privileges attacks.

The vulnerabilities all concern NVIDIA’s Windows GPU Display Driver, with the most serious affecting the user mode video driver trace logger component.

According to the advisory, “when an attacker has access to the system and creates a hard link, the software does not check for hard link attacks. This behavior may lead to code execution, denial of service, or escalation of privileges.”

The Display Driver also contains vulnerabilities in its DirectX drivers and kernel mode layer, which could also lead to denial of service or code execution attacks. The vulnerabilities range in severity from 5.2 to 8.8, according to Nvidia’s base scoring system.

The vulnerabilities were discovered by Piotr Bania, a researcher at Cisco Talos. In a blogpost, Bania explains: “VMware ESXi, Workstation and Fusion are affected by an out-of-bounds write vulnerability that can be triggered using a specially crafted shader file. This vulnerability can be triggered from a VMware guest, affecting the VMware host, leading to a crash (denial-of-service) of the vmware-vmx.exe process on the host (TALOS-2019-0757).”

Bania added: “However, when the host/guest systems are using an NVIDIA graphics card, the VMware denial-of-service can be turned into a code execution vulnerability (leading to a VM escape), because of an additional security issue present in NVIDIA’s Windows GPU Display Driver (TALOS-2019-0779).”