Nvidia patches eight security flaws in graphics products

Message boards : Number crunching : Nvidia patches eight security flaws in graphics products
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile Bernie Vine
Volunteer moderator
Volunteer tester
Avatar

Send message
Joined: 26 May 99
Posts: 9863
Credit: 84,936,331
RAC: 59,476
United Kingdom
Message 1982509 - Posted: 27 Feb 2019, 21:44:59 UTC
Last modified: 27 Feb 2019, 21:45:52 UTC

Taken from my daily email from Sophos

Chip maker Nvidia has released its first security update for 2019 (ID 4772), fixing eight CVE flaws in its Windows and Linux graphics display drivers. Users are advised to patch as soon as possible.

The company scores the flaws using the Common Vulnerability Scoring System (CVSS) v3, which shows five with a rating of 8.8, equating to ‘high’ severity rather than ‘critical’.

That’s because none can be exploited remotely and require local access, for example by executing malware on the target system.

Depending on the flaw, an exploit could lead to a denial of service state, code execution, information disclosure or, potentially worst of all, to an escalation of privileges in six of the vulnerabilities.

Affected products include the hugely popular GeForce, Quadro, and NVS, as well as the specialist Tesla graphics cards.

The full list in bulletin 4772 is: CVE-2019-5665, CVE-2019-5666, CVE-2019-5667, CVE-2019-5668, CVE-2019-5669, CVE-2019-5670, CVE-2019-5671, and CVE-2018-6260.

Despite being a 2.2 (low) on CVSSv3, the last of these is perhaps the most interesting because the fix emerged from research published last November into side-channel attacks on GPUs. Nvidia describes it as a…

Vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters.

This affects all GPU makers, including AMD and Intel as well as Nvidia and patching it requires several manual Nvidia control panel steps in addition to applying the driver update (instructions HERE).

Applying the latest drivers on Windows should bring users to version 419.17 (Linux versions vary depending on the distro).

Which brings us to the issue of how to update. Most users might have to do this manually via the vendor’s website although Nvidia offers a utility, GeForce Experience, which will helpfully alert users as and when new security updates become available.
ID: 1982509 · Report as offensive
Sirius B Project Donor
Volunteer tester
Avatar

Send message
Joined: 26 Dec 00
Posts: 21008
Credit: 2,923,675
RAC: 651
Ireland
Message 1982516 - Posted: 27 Feb 2019, 22:10:51 UTC - in response to Message 1982509.  
Last modified: 27 Feb 2019, 22:11:35 UTC

Applying the latest drivers on Windows should bring users to version 419.17 (Linux versions vary depending on the distro).
Which brings us to the issue of how to update. Most users might have to do this manually via the vendor’s website although Nvidia offers a utility, GeForce Experience, which will helpfully alert users as and when new security updates become available.
That all depends on:
A: GPU
B: Windows version.

Ran GeForce Experience, detected card correctly then stated latest driver installed, no update necessary. Version 342.01
ID: 1982516 · Report as offensive
Profile j mercer
Avatar

Send message
Joined: 3 Jun 99
Posts: 2345
Credit: 12,237,041
RAC: 528
United States
Message 1982543 - Posted: 28 Feb 2019, 2:35:23 UTC

Latest and greatest plus beta.

https://www.nvidia.com/Download/Find.aspx?lang=en-us
...
ID: 1982543 · Report as offensive
Profile Wiggo "Democratic Socialist"
Avatar

Send message
Joined: 24 Jan 00
Posts: 16806
Credit: 230,893,234
RAC: 168,332
Australia
Message 1982547 - Posted: 28 Feb 2019, 4:00:50 UTC

Ran GeForce Experience, detected card correctly then stated latest driver installed, no update necessary. Version 342.01
Yep anything below a Fermi based card these days is regarded as a legacy job and no further updates are available for them. ;-)

Cheers.
ID: 1982547 · Report as offensive
Profile Tom M
Volunteer tester

Send message
Joined: 28 Nov 02
Posts: 3556
Credit: 211,522,391
RAC: 514,640
United States
Message 1982550 - Posted: 28 Feb 2019, 4:25:19 UTC

Please let us know when those security patches make it into the Ubuntu/NVIDIA/Launchpad open source drivers.

Thank you.

Tom
Oh NO.... I lost my tagline....
ID: 1982550 · Report as offensive
Profile TimeLord04 Project Donor
Volunteer tester
Avatar

Send message
Joined: 9 Mar 06
Posts: 19955
Credit: 25,734,179
RAC: 69,011
United States
Message 1982559 - Posted: 28 Feb 2019, 5:42:40 UTC

NVIDIA for MacOS High Sierra 10.13.6 - 17G5019 just released 387.10.10.10.40.122.

387.10.10.10.40.122


TL
TimeLord04
Have TARDIS, will travel...
Come along K-9!
Join Calm Chaos
ID: 1982559 · Report as offensive
Profile Bernie Vine
Volunteer moderator
Volunteer tester
Avatar

Send message
Joined: 26 May 99
Posts: 9863
Credit: 84,936,331
RAC: 59,476
United Kingdom
Message 1982560 - Posted: 28 Feb 2019, 6:09:35 UTC
Last modified: 28 Feb 2019, 6:32:14 UTC

That all depends on:
A: GPU
B: Windows version.


Indeed it does, I have two 32 bit Windows 10 machines that cannot have driver updates but I wonder if the security problems still exist and just cannot be patched.

As the article states it effects all graphic products including AMD and Intel, I very much suspect it does.

Just noticed this line in the document

"Affected versions include the versions listed and all earlier branches and releases.
If you are using an unsupported version or an earlier unsupported branch, upgrade to the latest supported version. To identify products that are no longer supported, check the product EOL pages Windows legacy GPU releases and UNIX legacy GPU releases, or contact NVIDIA Support."


Which seems to me to say that it affects all cards, but there is no patch for the older or 32 bit OS ones.

However now you can see why it is important to have the latest drivers.

Please let us know when those security patches make it into the Ubuntu/NVIDIA/Launchpad open source drivers.


It was in the link in my first post



For those who may not have seen the link to the offical Nvidia document it is

HERE

It gives further links to check if your card is supported, which for FERMI apparently security support ended last month!!
ID: 1982560 · Report as offensive
Profile Tom M
Volunteer tester

Send message
Joined: 28 Nov 02
Posts: 3556
Credit: 211,522,391
RAC: 514,640
United States
Message 1982624 - Posted: 28 Feb 2019, 16:30:42 UTC - in response to Message 1982560.  

Please let us know when those security patches make it into the Ubuntu/NVIDIA/Launchpad open source drivers.


It was in the link in my first post


Sorry. I was not clear. I am only interested in the patch after it has been processed through the Ubuntu Launchpad website. I was hoping someone would notice and let me know.

Tom
Oh NO.... I lost my tagline....
ID: 1982624 · Report as offensive
rob smith Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer moderator
Volunteer tester

Send message
Joined: 7 Mar 03
Posts: 17795
Credit: 407,166,105
RAC: 143,547
United Kingdom
Message 1982625 - Posted: 28 Feb 2019, 16:48:37 UTC

If you are that eager the best thing for you to do is sign up on the nvidia and ubuntu bug and release boards where the news will pop out first.
Bob Smith
Member of Seti PIPPS (Pluto is a Planet Protest Society)
Somewhere in the (un)known Universe?
ID: 1982625 · Report as offensive
Profile Brent Norman Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester

Send message
Joined: 1 Dec 99
Posts: 2766
Credit: 573,362,603
RAC: 911,265
Canada
Message 1982629 - Posted: 28 Feb 2019, 17:00:03 UTC - in response to Message 1982624.  
Last modified: 28 Feb 2019, 17:01:15 UTC

"Vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters."
That is of worry to you? Having someone "Locally" access your computer and get seti data is pretty darn low to me.
If gaming, whats the worst they can do get your score?
The patch will just be something to slow crunching down IMO.
ID: 1982629 · Report as offensive
Profile Gone with the wind Crowdfunding Project Donor*Special Project $75 donor
Volunteer tester

Send message
Joined: 19 Nov 00
Posts: 41577
Credit: 41,999,167
RAC: 646
Message 1982630 - Posted: 28 Feb 2019, 17:08:24 UTC

This doesn't sound to me much more than Nvidia covering their backsides just in case. Then again, the Linux crowd do seem to be amongst the more edgy of users.
ID: 1982630 · Report as offensive

Message boards : Number crunching : Nvidia patches eight security flaws in graphics products


 
©2019 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.