Nvidia has released updated software that includes closure software for security gaps in their graphics card drivers and GPU manager software for server use. The company believes that some of the security gaps are high risk, and attackers could run malicious code or extend their rights within the system.
Administrators should apply the available updates quickly to ensure that attackers cannot exploit these gaps to their advantage. Specifically, Nvidia has patched 17 security holes in their graphics card driver software. Seven of the gaps are high risk, eight are medium risk, and two are low risk. Another medium-severity vulnerability is found in the vGPU software.
Not every gap affects every driver branch for the different GPUs, so Nvidia has listed which driver version is currently up-to-date for which graphics card in their security alert. The most serious vulnerability in the Linux driver could allow attackers to execute injected code, escalate their privileges, gain unauthorized access to information, manipulate data, or start a denial of service.
In the Windows driver, the equally classified worst vulnerability still allows attackers to escalate privileges, access information, modify data, and also start a denial of service. Both gaps just barely miss the “critical” rating.
In Nvidia’s Data Center GPU Manager (DCGM) for managing GPUs in cluster environments, attackers could provoke a heap-based buffer overflow and thus manipulate data or trigger a Denial-of-Service. Software versions before 3.1.7 are susceptible to this, write Nvidia’s developers in a security advisory.
To address these security gaps, Nvidia recommends updating the software. Under Windows, the driver versions 531.41, 528.89, 518.03, 474.30 and 454.14 are up-to-date and free of the gaps. For Linux, the error-corrected versions 530.41.03, 525.105.17, 515.105.01, 470.182.03 and 450.236.01 are available on Nvidia’s driver download page.
IT managers can obtain the updated DCGM software version 3.1.7 or newer from another Nvidia website. Since some of the security gaps only just miss a classification as critical, users should quickly update their software. As of December last year, Nvidia also closed security gaps in the GPU drivers which allowed attackers to execute malicious code.
