CVE-2015-7869: Unsanitized User Mode Input

Answer ID 3808
Published 11/13/2015 03:07 PM
Updated 11/18/2015 02:38 AM
CVE-2015-7869: Unsanitized User Mode Input

Vulnerability Description:

This advisory relates to a security vulnerability in the NVAPI support layer of NVIDIA GPU graphics drivers. The NVAPI support layer is an NVIDIA exported API layer to support augmented system functionality to application software. This report also details an advisory regarding integer overflow issues in the underlying kernel mode driver.

Exploit Scope and Risk:

Failure to properly sanitize user mode inputs can lead to increased risk of malicious code access to privileged resources. The vulnerabilities could be exploited to cause the access of uninitialized or out of bounds memory, leading to information disclosure, crashes, and potential escalation of privilege.

The CVSS risk assessment is listed below.

CVSS Base Score - 6.2

Exploitability sub-score - 2.7

Access Vector: Local

Access Complexity: Medium

Authentication: Single

Impact sub-score - 9.5

Confidentiality Impact: Complete

Integrity Impact: Partial

Availability Impact: Complete

CVSS temporal sub-score - 4.9

Exploitability: Proof of concept code

Remediation Level: Official Fix

Report Confidence: Confirmed

CVSS Environmental Score - [determined by user]

NVIDIA's risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. We recommended consulting a local security or IT professional to evaluate the risk of your specific configuration. NVIDIA doesn't know of any exploits to these issues at this time.

Vulnerable Configurations:

The vulnerabilities in the NVAPI layer exist only in NVIDIA GPU graphics drivers for Windows. The integer overflow issues affect both Windows and Linux-based GPU drivers. These issues affect all GPU products and are not specific to any GPU class device.


Vulnerability Discovery:

Issues were identified internally and in collaboration with Intel Security research through private disclosure at PSIRT@nvidia.com. Credit goes to Axel Monroy and Nikita Tarakanov of Intel for their contributions to our product security efforts.

Fix:

NVIDIA recommends that users upgrade to the fixed driver version - details below.

OS

Branch

1st version that includes the fix

Windows

R358

358.87

Windows

R352

354.35

Windows

R340

341.92

Linux

R358

358.16

Linux

R352

352.63

Linux

R340

340.96

Linux

R304

304.131

Mitigations:

Always observe the following safe computing practices:

· Only download or execute content and programs from trusted third parties.

· Run your system and programs with the least privilege necessary. Users should run without root privileges whenever possible.

· When running as root, do not elevate privileges for activities or programs that don't need them.

Was this answer helpful?
Your rating has been submitted, please tell us how we can make this answer more useful.

LIVE CHAT

Chat online with one of our support agents

CHAT NOW

ASK US A QUESTION

Contact Support for assistance

CONTACT US