>NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability which could allow a privileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering
What does “privileged attacker” mean on Linux? In my mind, “privileged” would mean they already have root, but in that case there’s nothing to escalate, right?
Wondering the same. The same column lists a bunch of Windows-only CVEs where an unprivileged user can do stuff, so there has to be some difference between those (CVE‑2024‑0117 - CVE‑2024‑0121) and the headliner CVE‑2024‑0126
They mention hypervisor breaches further below, so could the CVE 0126 imply that a local root user on a shared GPU machine of some sort can break out of the virtualization?
That one is probably only an issue for folks who care about the root/kernel distinction, but there’s a bunch of buffer issues with the user mode component (this runs inside your process when you use graphics APIs). Not enough details, but that could be potentially exploitable from e.g. WebGL/WebGPU
Presumably it needs to be run by someone who already has access to the computer and gives them (or a program executed by them) root/escalated privileges. Although that might include running code from a webpage etc.
If I'm reading the bulletin right, then all the issues can only be exploited from code already running on your machine. So if you have a single user machine and aren't already owned then this is a non-issue and the verbiage in the title and PC World article are not warranted.
The people that actually need to update are:
* Multi-user systems with some untrusted users.
* Users with malware on their system already (which could privilege escalate)
If you use a web browser or play multiplayer video games then there will be code running on your system that interacts with GPU drivers that you haven't explicitly chosen to download and which could potentially exploit certain vulnerabilities.
This highlights why we shouldn't let browsers (google) keep expanding their reach outside of the historical sandbox. It's almost like all the in-browser Java and Flash problems being repeated. They're creating security problems more than helping legitimate developers. WebGL was fine. Websockets were fine. WebGPU and the recently proposed arbitrary socket API are jumping the shark. Raw GPU access and TCP/UDP access are simply bad ideas from inexperienced people and need to be shut down. If you truly need that stuff I think the solution is to step up your game and make native applications.
This to me is the big risk here. A worm hidden in a game mod or something.
I can see it staying in the wild for a long time too. How many of the people that are playing on these cards, or crypto mining, or doing LLM work, are really going to even find out about these vulnerabilities and update the drivers?
The attack surface from a browser is tiny. All you can do is call into ANGLE or Dawn through documented, well-defined and well-tested APIs. Or use things like canvas and CSS animations, I suppose. Browser vendors care a lot about security, so they try to make sure these libraries are solid and you can't interact with the GPU in any other way.
Native applications talk directly to the GPU's kernel-mode driver. The intended flow is that you call into the vendor's user-mode drivers - which are dynamic libraries in your application's address space - and they generate commands and execute ioctls on your application's behalf. The interface between these libraries and the KMD is usually undocumented, ill-defined and poorly tested. GPU vendors don't tend to care about security, so if the KMD doesn't properly validate some inputs, well, that issue can persist a long time. And if there's any bit of control stream that lets you tell the GPU to copy stuff between memory you own and memory you don't... I guess you get a very long security bulletin.
The point is, webpages have access to a much smaller attack surface than native applications. It's unlikely anything in this bulletin is exploitable through a browser.
This is why Qubes OS, which runs everything in isolated VMs, doesn't allow them to use the GPU. My daily driver, can't recommend it enough if you care about security.
A cursory search suggests such plugins aren't sandboxed and run with the same privileges as the main program itself, so I'd definitely be suspicious of any plugin.
I can't find anything on that page or https://nvidia.custhelp.com/app/answers/detail/a_id/5586#sec... that describes whether Windows Update will update the drivers automatically. I just did a Windows Update and it's still got an NVIDIA display driver dated 3/9/2023.
No, Windows Update's Nvidia driver set is usually years out of date and rarely gets updated. It exists as an emergency fallback and doesn't push out regular updates.
Wow, if you go to the Nvidia drivers website, they are still pushing the vulnerable 565.90 version as the "stable version" for creatives. It's only the gamer version that has been updated to 566.03 with the fixes. Incredible.
It is widely believed that the two versions are completely identical, just on a different release cadence. The "Studio" version is also supposed to pass a wider set of tests, but it's still the same driver. The "Game" driver is really only important for newly released games needing fixes/patches/optimizations that just weren't available yet for the previous "Studio" driver release.
At least, that seems to be the consensus among people who've tried to figure this out. There's no official word.
The fine print on the security notice page says that there is a 565.92 version that some OEMs are pushing out themselves.
I get that there is a different release cadence, but it’s simply not acceptable to do business as normal surrounding security releases. The driver page should either have that 656.92 available or disable the download link for the stable channel with a note on when they expect it to be available again.
At the very least, some product manager should be fired. This is a legal liability, and no amount of click-wrap disclaimers will protect them if someone gets owned because of this negligence.
This just reminded me that the GeForce Experience (which is recommended to use the recording functions, and keep updating the drivers), requires an account. And the software is unable to keep your account logged in. It's outrageous to pay so much for a graphics card to later have this experience.
Readit News
>NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability which could allow a privileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering
What does “privileged attacker” mean on Linux? In my mind, “privileged” would mean they already have root, but in that case there’s nothing to escalate, right?
They mention hypervisor breaches further below, so could the CVE 0126 imply that a local root user on a shared GPU machine of some sort can break out of the virtualization?
Deleted Comment
Deleted Comment
The people that actually need to update are:
* Multi-user systems with some untrusted users.
* Users with malware on their system already (which could privilege escalate)
* virtualization hosts of untrusted guests.
I can see it staying in the wild for a long time too. How many of the people that are playing on these cards, or crypto mining, or doing LLM work, are really going to even find out about these vulnerabilities and update the drivers?
Native applications talk directly to the GPU's kernel-mode driver. The intended flow is that you call into the vendor's user-mode drivers - which are dynamic libraries in your application's address space - and they generate commands and execute ioctls on your application's behalf. The interface between these libraries and the KMD is usually undocumented, ill-defined and poorly tested. GPU vendors don't tend to care about security, so if the KMD doesn't properly validate some inputs, well, that issue can persist a long time. And if there's any bit of control stream that lets you tell the GPU to copy stuff between memory you own and memory you don't... I guess you get a very long security bulletin.
The point is, webpages have access to a much smaller attack surface than native applications. It's unlikely anything in this bulletin is exploitable through a browser.
if you have a single user machine and ARE already owned then this is REALLY a non-issue for you.
As it points out, this is an issue with the driver rather than the physical GPU.
At least, that seems to be the consensus among people who've tried to figure this out. There's no official word.
I get that there is a different release cadence, but it’s simply not acceptable to do business as normal surrounding security releases. The driver page should either have that 656.92 available or disable the download link for the stable channel with a note on when they expect it to be available again.
At the very least, some product manager should be fired. This is a legal liability, and no amount of click-wrap disclaimers will protect them if someone gets owned because of this negligence.
(enter "GPU Display" in the search filter box)
1. https://security-tracker.debian.org/tracker/source-package/n... 2. https://tracker.debian.org/pkg/nvidia-graphics-drivers
https://arstechnica.com/gaming/2024/02/nvidias-new-app-doesn...