NVDIA warned of dangerous vulnerabilities in GPUs
NVIDIA has warned users of five critical vulnerabilities in the GPU display driver that could allow attackers to elevate privileges on a device, execute arbitrary code, cause a Denial of Service (DoS) state, and steal information.
The NVIDIA virtual graphics processing unit (vGPU) software also contains a number of issues that allow similar attacks.
The most dangerous vulnerability in the GPU display driver (CVE-2021-1074) was rated at 7.5 on the CVSS scale and is contained in the display driver installer and allows an attacker with access to the local system to replace an application resource with malicious files. Such an attack can lead to code execution, privilege escalation, DoS attack, or information disclosure.
Another issue (CVE-2021-1075) in the kernel-mode handler (nvlddmkm.sys) for DxgkDdiEscape relates to the process of dereferencing a pointer containing an invalid memory location.
NVIDIA vGPU software contains eight different vulnerabilities. The first four dangerous problems are related to incorrect validation of input data and their use can lead to information disclosure, data forgery or DoS attacks. The other four can lead to data alteration, a “denial of service” state of the system, or an escalation of privileges.
NVIDIA has released hotfixes to resolve all issues.