Vulnerability Description:
The GLX indirect rendering support supplied on NVIDIA products is subject to the recently disclosed X.Org vulnerabilities (CVE-2014-8093, CVE-2014-8098) as well as internally identified vulnerabilities (CVE-2014-8298).
Exploit Scope and Risk:
Depending on how it is configured, the X server typically runs with raised privileges, and listens for GLX indirect rendering protocol requests from a local socket and potentially a TCP/IP port. The vulnerabilities could be exploited in a way that causes the X server to access uninitialized memory or overwrite arbitrary memory in the X server process. This can cause a denial of service (e.g., an X server segmentation fault), or could be exploited to achieve arbitrary code execution.
The CVSS Risk assessment is listed below.
CVSS Base Score - 8.3
Exploitability sub-score - 6.5
Access Vector: Adjacent Network
Access Complexity: Low
Authentication: None
Impact sub-score - 10.0
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
CVSS temporal sub-score - 3.5
Exploitability: Unproven that Exploit Exists
Remediation Level: Workaround
Report Confidence: Confirmed
CVSS Environmental Score - [determined by user]
NVIDIA's risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. We recommended consulting a local security or IT professional to evaluate the risk of your specific configuration. NVIDIA knows of no known exploits to these issues at this time.
Vulnerable Configurations:
The NVIDIA implementation of GLX indirect rendering is only used in the NVIDIA GPU drivers for Solaris, FreeBSD, VMware ESX, and other Linux based operating systems where an X server is in use. NVIDIA GPU drivers for other operating systems are not affected.
Vulnerability Discovery:
NVIDIA was informed of this issue by public advisement from X.Org participants on Oct 9, 2014, by Adam Jackson and Alan Coopersmith. Internal analysis and additional issues refined by Robert Morell of NVIDIA.
Fix:
NVIDIA recommends that users upgrade their drivers. Refer to the table below for recommended driver updates and locations.
|
Driver |
Scheduled Support Date |
|
Linux Discrete GPU Drivers |
|
|
Releases prior to 304 |
Has reached 'end of life' and no longer supported. |
|
R304.125 and better |
R304.125 available as of 12/9 |
|
R331.113 and better |
R331.113 available as of 12/9 |
|
R340.65 and better |
R340.65 available as of 12/9 |
|
R343.36 and better |
R343.36 available as of 12/9 |
|
R346.22 and better |
R346.22 Beta available as of 12/9 |
|
Linux for Tegra (L4T) Products |
|
|
R19.x |
No fix planned-update to R21.2 |
|
R21.1 |
No fix planned - update to R21.2 |
|
R21.2 |
Release planned for 12/9/2014 |
|
Chrome OS |
|
|
R40 or better |
Contact Google support for release information |
|
CUDA Toolkit SDK |
To patch the CUDA Toolkit SDK 6.0 and 6.5 installation, install the updated drivers with the security patch from Release 331 and Release 340 |
|
CUDA 5.5 |
R331.113 or R340.65, available as of 12/9 |
|
CUDA 6.0 |
R331.113 available as of 12/9 |
|
CUDA 6.5 |
R340.65 available as of 12/9 |
Mitigations:
You may consider either of the following steps to help further mitigate against GLX protocol vulnerabilities:
-
Configure the X server to prohibit X connections from the local area network (by passing the "-nolisten tcp" command line option to the X.Org X server). Many Linux distributions already set this option by default. Consult your operating system's documentation for details on setting X server command line options
- Disable GLX indirect contexts. With any of the fixed NVIDIA driver versions mentioned above, indirect GLX contexts can be prohibited by setting the "AllowIndirectGLXProtocol" X configuration option to False, or setting the "-iglx" X server command line option on X.Org 1.16 or newer.
