Vulnerability Description:
The NVIDIA Display Driver's kernel administrator check improperly validates local client impersonation levels in some cases.
Exploit Scope and Risk:
The attacker must already have local access on the machine.Under certain conditions, a local user on the system can use improper impersonation behaviors of NVIDIA driver API's to access resources that are intended for local administrator access only. Under these conditions, this behavior may lead to privilege escalation of the local user account, leading to a system compromise.
The CVSS Risk assessment is listed below.
Base CVSS Score |
6.6 |
Impact Subscore |
10.0 |
Confidentiality: Partial |
(C:C) |
Integrity: Partial |
(I:C) |
Availability: Complete |
(A:C) |
Exploitability Subscore |
2.7 |
Access Vector: Local |
(AV:L) |
Access Complexity: High |
(AC:M) |
Authentication: Single |
(Au:S) |
Temporal Subscore |
5.2 |
Exploitability: Proof of Concept Code |
(E:POC) |
Remediation Level: Official fix |
(RL:OF) |
Report Confidence: Confirmed |
(RC:C) |
NVIDIA's risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. We recommended consulting a local security or IT professional to evaluate the risk of your specific configuration. NVIDIA is not aware of any exploits involving these issues.
Vulnerable Configurations:
This vulnerability affects all GPUs with Windows XP, Windows Vista, Windows 7, and Windows Server 2008/2008 R2 systems using NVIDIA GPU Display Driver components, or derived packages which use NVIDIA GPU Display Driver components.
Vulnerability Discovery:
This bug was reported to NVIDIA by James Forshaw, Project Zero, Google.
Fix:
NVIDIA recommends updating to a patched driver for your specific platform need as detailed below.
GeForce Notebook, Quadro or NVS Notebook:
Operating System |
GPU Family |
Fixed in Branch |
Windows Vista/Windows 7 |
Tesla and later |
R304: Version 309.08 or later (Last branch to support Windows Vista for Notebook) |
Windows 7 |
Tesla and later |
R340: Version 341.44 or later (Last branch to support Tesla GPUs) |
Windows 7 |
Fermi and later |
R343: Version 345.20 or later R346: Version 347.52 or later |
GeForce Desktop:
Operating System |
GPU Family |
Fixed in Branch |
Windows Vista / Windows 7 |
Nv 4x - G7x |
R304: Version 309.08 or later |
Windows Vista / Windows 7 |
Tesla and later |
R340: Version 341.44 or later (Last branch to support Tesla GPUs) |
Windows Vista / Windows 7 |
Fermi and later |
R343: Version 345.20 or later R346: Version 347.52 or later |
Quadro or NVS Workstation:
Operating System |
GPU Family |
Fixed in Branch |
Windows Vista / Windows 7 / Windows Server 2008, 2008R2 |
Nv 4x - G7x |
R304: Version 309.08 or later |
Windows Vista / Windows 7 / Windows Server 2008, 2008R2 |
Tesla and later |
R340: Version 341.44 or later (Last branch to support Tesla GPUs) |
Windows Vista / Windows 7 / Windows Server 2008, 2008R2 |
Fermi and later |
R343: Version 345.20 or later R346: Version 347.52 or later |
GRID baremetal or GPU passthrough:
Operating System |
GPU Family |
Fixed in Branch |
Windows 7 / |
Kepler and later |
R343: Version 345.20 or later R346: Version 347.52 or later |
GRID virtual GPU (vGPU):
Operating System |
GPU Family |
Fixed in Branch |
Windows 7 / |
Kepler and later |
R346: Version 347.52 or later |
Windows 8 and Later:
Not affected
Windows XP:
Windows XP is considered vulnerable to this issue though Windows XP is EOL, no longer supported by Microsoft, and subject to numerous other exploits. If you have questions or concerns with specific Windows XP installations, please contact your NVIDIA support team for more information. NVIDIA will not be providing explicit patches for Windows XP systems at this time.
Mitigations:
As the exploit requires local access and a user/process running as administrator to allow impersonation, safe computing practices can mitigate your general risk.
As always, observe safe computing practices by:
· Only downloading or executing content and programs from trusted third parties.
· Run your system and programs with the least privilege necessary. Users should run without administrator rights whenever possible.
· When running as administrator, do not elevate UAC privileges for activities or programs that don't need them.