Denial of service, local escalation of privileges, and information disclosure are not security worries most computer users will associate with their racy graphics card or its drivers.
And yet fixes for precisely these issues are part of February’s Nvidia GPU display update, all of which could compromise Windows or Linux PCs, allowing an attacker to gain local access after a malware attack.
In all, the update covers five desktop CVE vulnerabilities, including one, CVE‑2020‑5957, rated as critical. This is in the Windows GPU Display Driver control panel for the GeForce, Quadro NVS, and Tesla products leading to a corrupt system file and escalation of privileges or denial of service.
A second control panel flaw affecting the same products is CVE‑2020‑5958, which might allow the planting of a malicious DLL file with the same results as above along with information disclosure.
The Virtual GPU Manager gets three fixes addressing CVE‑2020‑5959, CVE‑2020‑5960, and CVE‑2020‑5961, with the first of these rated critical.
Nvidia is also readying separate updates for its enterprise products, namely the Virtual GPU Manager (various hypervisors), and vGPU graphics driver for guest OS (Windows and Linux), which is also affected by some of the above flaws.
Depending on the driver version affected, these will be available in the week of 9 March 2020, with updates during April promised for organizations using either version 10.0 or 10.1 for any of the above products.
These days, updating graphics drivers needs to be part of the standalone user’s patching cycle along with Microsoft’s Patch Tuesday, Intel’s regular CPU and product patches, not forgetting browsers and individual products such as Adobe’s PDF Reader and various plugins .
Nvidia ships fixes for its products almost every month, with missed months made up for by two releases the following month.
Almost all include critical updates for severe vulnerabilities which could cause major problems if left unpatched.
November 2019’s update fixed 11 mostly severe flaws across its desktop products, while August 2019 saw a similar story.