Nvidia has released updated software to fix security vulnerabilities, some of which the company believes pose a high risk. The graphics card drivers are affected, but also the GPU manager software for server use. Attackers could run malicious code or extend their rights in the system. Administrators should apply the available updates quickly.
Nvidia Graphics Card Drivers: Numerous Security Vulnerabilities
Nvidia has patched 17 security holes in the graphics card driver alone. Of these, seven count as high-risk, eight as medium-risk, and two as low-risk. Another medium-severity vulnerability is found in the vGPU software. Not every gap affects every driver branch for the different GPUs. In the security alert, Nvidia therefore lists which driver version is currently up-to-date for which graphics card.
The most serious vulnerability in the Linux driver could allow attackers to run injected code, escalate privileges, gain unauthorized access to information, tamper with data, or launch a denial of service (CVE-2023-0189, CVSS 8.8Risk “hoch“). In the Windows driver, the equally classified worst vulnerability still allows attackers to escalate privileges, access information, modify data and also a denial-of-service (CVE‑2023‑0184, CVSS 8.8, hoch). Both gaps just barely miss the “critical” rating.
In Nvidia’s Data Center GPU Manager (DCGM) for managing GPUs in cluster environments, attackers could provoke a heap-based buffer overflow and thus manipulate data or trigger a Denial-of-Service (CVE‑2023‑0208, CVSS 8.4, hoch). Software versions before 3.1.7 are susceptible to this, write Nvidia’s developers in a security advisory.
Bug-fixed software
Under Windows, driver versions 531.41, 528.89, 518.03, 474.30 and 454.14 are up-to-date and free of the gaps. For Linux, the error-corrected versions 530.41.03, 525.105.17, 515.105.01, 470.182.03 and 450.236.01 are available on Nvidia’s driver download page. IT managers can obtain the updated DCGM software version 3.1.7 or newer from another Nvidia website.
Since some of the security gaps only just miss a classification as critical, users should quickly update their software.
As of December last year, Nvidia also closed security gaps in the GPU drivers. They also enabled attackers to execute malicious code, for example.
(dmk)
