Nvidia patches eight security flaws in graphics products

Chip maker Nvidia has released its first security update for 2019 (ID 4772), fixing eight CVE flaws in its Windows and Linux graphics display drivers. Users are advised to patch as soon as possible.

The company scores the flaws using the Common Vulnerability Scoring System (CVSS) v3, which shows five with a rating of 8.8, equating to ‘high’ severity rather than ‘critical’.

That’s because none can be exploited remotely and require local access, for example by executing malware on the target system.

Depending on the flaw, an exploit could lead to a denial of service state, code execution, information disclosure or, potentially worst of all, to an escalation of privileges in six of the vulnerabilities.

Affected products include the hugely popular GeForce, Quadro, and NVS, as well as the specialist Tesla graphics cards.

The full list in bulletin 4772 is: CVE-2019-5665, CVE-2019-5666, CVE-2019-5667, CVE-2019-5668, CVE-2019-5669, CVE-2019-5670, CVE-2019-5671, and CVE-2018-6260.

Despite being a 2.2 (low) on CVSSv3, the last of these is perhaps the most interesting because the fix emerged from research published last November into side-channel attacks on GPUs. Nvidia describes it as a…

Vulnerability that may allow access to application data processed on the GPU through a side channel exposed by the GPU performance counters.

This affects all GPU makers, including AMD and Intel as well as Nvidia and patching it requires several manual Nvidia control panel steps in addition to applying the driver update (instructions here).

Applying the latest drivers on Windows should bring users to version 419.17 (Linux versions vary depending on the distro).

Which brings us to the issue of how to update. Most users might have to do this manually via the vendor’s website although Nvidia offers a utility, GeForce Experience, which will helpfully alert users as and when new security updates become available.