A number of security bugs in the Nvidia Graphics Processing Unit (GPU) and the virtual GPU (vGPU) have been disclosed by Nvidia. According to the company, the vulnerabilities could expose gamers and other users to various types of attacks including arbitrary code execution, DoS attacks and even data disclosure.
Five bugs have been rated as severe in the GPI display driver according to the CVSS vulnerability scale:
- CVE 2021-1074 is rating 7.5 out of 10 in the scale. This bug has been detected in the display driver’s installer and helps an intruder to overwrite an application resource with malicious files and then let him perform Denial of Service attacks, arbitrary code execution and more.
- CVE-2021-1075 rates 7.3 on the CVSS scale which makes it another bug of a high risk that if exploited could lead to malicious code execution, escalation of privileges, and denial of service attacks.
- CVE-2021-1076 and CVE-2021-1077 are medium severity bugs, both rated at 6.6 on the CVSS scale. If exploited, they allow for data corruption, DoS attacks, and information disclosure, researchers reveal.
- Finally, the CVE-221-1078 medium-severity bug rated at 5.5 is linked to a kernel driver vulnerability (nvlddmkm.sys) that could result in a system due to a NULL pointer dereference.
8 Vulnerabilities in Nvidia vGPU Software
In the meantime, the vGPU software of Nvidia has eight vulnerabilities. The virtual GPU enables computer acceleration adaptable to resource-intensive workloads, such as virtual workstations with rich graphics, and artificial intelligence.
Four out of the eight disclosed bugs are rated as high-risk flaws with a rank of 7.8 in the CVSS scale. They may lead to leakage of information, manipulation of data or DoS attacks.
Here they are:
- CVE 2021 1080 is a loophole in the vGPU Manager, in which some input data is not validated;
- CVE 2021 1081 is a flaw in the guest kernel-mode driver and vGPU manager where input length is not validated.
- CVE 2021 1082 is a vGPU manager flaw, caused by a non-validated input length.
- CVE 2021 1083 is a guest kernel-mode driver and vGPU Manager flaw, which could arise from failure in the input length validation.
A variety of other attacks such as data tampering or DoS, control of unauthorized resources, and confidentiality loss may follow from the exploitation of the other four bugs tracked as CVE 2021 1084, CVE 2021 1085, CVE 2021 1086, and CVE 2021 1087. Some of the bugs are currently undergoing analysis and not all information about them has been disclosed.
Nvidia has published updates to patch all disclosed vulnerabilities which can be downloaded from the Nvidia Driver Downloads page. Users of the vGPU could get the latest patches from the Nvidia Licensing Portal. All versions that are vulnerable to the bugs are published in Nvidia’s advisory which was released on Friday.