Nvidia warns GPU owners to update their graphics card drivers after discovering several high-level security vulnerabilities. ThreatPost reports that Nvidia has found bugs in its virtual GPU software and display driver that are required for the graphics card to function.
Nvidia has a table of drivers for the various product lines on Windows and Linux, but it doesn't matter. It appears that GeForce, Quadro, and Tesla drivers are vulnerable on Windows and Linux. So it is best to update the graphics driver regardless.
In total, the company uncovered 13 vulnerabilities, five through the GPU display driver and eight through the vGPU software. Most sit between 7 and 8 in CVSS 3.1 (Common Vulnerability Scoring System), an open standard for rating security vulnerabilities on a scale of 1 to 10.
CVE-2021-1074 is one of the most pressing issues with a CVSS base score of 7.5. This vulnerability appears in the display driver installer, which could allow an attacker with local system access to replace the installation files with malicious ones. On the other end, CVE-2021-1078 received a baseline rating of 5.5, indicating a vulnerability in the kernel driver that could result in a system crash.
There is also CVE-2021-1085 on the vGPU software (base rating of 7.3) which opens up the potential for writing data to shared storage locations and manipulating it after validation. This could lead to an escalation of privileges and denial of service.
If you only have one Nvidia graphics card, you don't have to worry about the vGPU vulnerabilities. The vGPU software was developed for the data center and enables the operators to distribute the performance of the graphics card over several virtual machines. Nvidia recommends updating your graphics card driver via the Nvidia driver download page and vGPU software via the Nvidia license portal (if you have access to it).
The vulnerabilities highlight the importance of regularly updating your software and drivers. Earlier this year, Nvidia fixed several vulnerabilities in its display driver and continues to update updates when vulnerabilities arise. The current issues can lead to malicious code execution (ransomware, etc.), escalation of permissions, data disclosure, data corruption and / or denial of service. Hence, you should update your GPU driver as soon as possible.
All problems come through software so it doesn't matter what graphics card you have. Even with a last generation or older GPU – a likely situation given the ongoing graphics card shortage – you still need to update your driver.