Executive Summary

In October 2024, NVIDIA released a security bulletin detailing several critical vulnerabilities in their GPU Display Driver, affecting both Windows and Linux systems. These vulnerabilities, identified by multiple CVE identifiers, pose significant risks, including potential code execution, privilege escalation, denial of service, and information disclosure. The vulnerabilities are particularly concerning for sectors heavily reliant on graphical processing, such as gaming, AI research, and data centers. While there are no confirmed reports of exploitation in the wild, the high CVSS scores underscore the urgency for organizations to implement mitigation strategies promptly.

Technical Information

The NVIDIA GPU Display Driver vulnerabilities disclosed in October 2024 encompass a range of security issues that could be exploited by attackers to compromise affected systems. The most critical of these is CVE-2024-0126, which affects both Windows and Linux platforms. This vulnerability allows a privileged attacker to escalate permissions, potentially leading to arbitrary code execution, denial of service, and data tampering. It has been assigned a CVSS score of 8.2, indicating a high severity level. The root cause of this vulnerability is improper input validation, classified under CWE-20.

In addition to CVE-2024-0126, several other vulnerabilities affect Windows systems, including CVE-2024-0117, CVE-2024-0118, CVE-2024-0119, CVE-2024-0120, and CVE-2024-0121. These vulnerabilities involve out-of-bounds reads in the user mode layer, which can be exploited by unprivileged users to execute code, escalate privileges, and cause denial of service. Each of these vulnerabilities has been assigned a CVSS score of 7.8, also indicating high severity. The underlying issue is classified under CWE-125, which pertains to out-of-bounds read errors.

Furthermore, CVE-2024-0127 and CVE-2024-0128 affect NVIDIA vGPU software, allowing users of the guest OS to exploit improper input validation and access global resources. This can lead to information disclosure and privilege escalation. These vulnerabilities have CVSS scores of 7.8 and 7.1, respectively, and are classified under CWE-20 and CWE-732, which relate to improper input validation and incorrect permission assignment.

Exploitation in the Wild

As of the time of this report, there are no confirmed instances of these vulnerabilities being exploited in the wild. Tools such as the CVE Exploit in the Wild Finder and the CVE Threat Actors Finder have not identified any active exploitation or associated APT groups. However, the potential impact of these vulnerabilities necessitates vigilance and proactive measures to prevent future exploitation.

APT Groups using this vulnerability

Currently, there are no known APT groups exploiting these specific vulnerabilities. However, given the nature of the vulnerabilities and the sectors they impact, it is crucial for organizations to remain alert to any emerging threats. The lack of current exploitation should not lead to complacency, as threat actors are constantly evolving their tactics.

Affected Product Versions

The vulnerabilities affect a range of NVIDIA products across different platforms. For Windows driver branches, all versions prior to 566.03 in the R565 branch, 553.24 in the R550 branch, and 538.95 in the R535 branch are affected. For Linux driver branches, all versions prior to 565.57.01 in the R565 branch, 550.127.05 in the R550 branch, and 535.216.01 in the R535 branch are vulnerable. Additionally, NVIDIA vGPU software is affected, with all guest driver versions for Windows and Linux prior to and including 17.3, as well as all Virtual GPU Manager versions prior to and including 17.3, being impacted.

Workaround and Mitigation

To mitigate the risks associated with these vulnerabilities, NVIDIA has released updates for the affected driver versions. Users are strongly advised to download and install the latest drivers from the NVIDIA Driver Downloads page or through the NVIDIA Licensing Portal for vGPU and Cloud Gaming updates. In addition to updating drivers, organizations should implement strict access controls to limit the ability of unprivileged users to exploit these vulnerabilities. Regular monitoring of systems for unusual activity is also recommended to detect any potential exploitation attempts.

References

For further information on the vulnerabilities and mitigation strategies, please refer to the following resources: NVIDIA Security Bulletin: NVIDIA GPU Display Driver - October 2024 (https://nvidia.custhelp.com/app/answers/detail/a_id/5586/~/security-bulletin%3A-nvidia-gpu-display-driver---october-2024), NVD Entries: CVE-2024-0126 (https://nvd.nist.gov/vuln/detail/CVE-2024-0126), CVE-2024-0117 (https://nvd.nist.gov/vuln/detail/CVE-2024-0117). We acknowledge the contributions of Piotr Bania from Cisco Talos, Maxim Mints, and Austin Herring for reporting these issues.

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive solutions to identify, assess, and mitigate vulnerabilities across your organization. We are here to support you in implementing effective security measures and ensuring the resilience of your systems. If you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com.