Nvidia Patches Eight Security Vulnerabilities Across Most Product Lines

Credit: Hairem/ShutterstockCredit: Hairem/ShutterstockMost graphics drivers are exciting because they add support for new hardware, include optimizations for the latest games, or fix issues found in their predecessors. A batch of new drivers from Nvidia offers a different incentive: protection against eight vulnerabilities that could be used to conduct various attacks.

Nvidia offered details about the vulnerabilities in a security bulletin this week. They vulnerabilities vary in scope. They can enable code execution, privilege escalation and denial of service (DoS) attacks and can be found in drivers for Windows, Linux, FreeBSD and Solaris operating systems. GeForce, Quadro, NVS and Tesla products are vulnerable.

One vulnerability, CVE-2018-6260, enables side-channel attacks similar in concept to the likes of Spectre and Meltdown, Intel CPU security flaws discovered in 2018. That vulnerability requires additional steps (which Nvidia didn't outline) to address even after the new drivers are installed. But because it can't be remotely exploited, it's not deemed critical.

Here's how to find the extra steps needed to address CVE-2018-6260, according to Nvidia:

  • Windows: Go to the Developer->Manage GPU Performance Counters menu of the NVIDIA Control Panel Help to see additional steps required. Enterprise customers should refer to the instructions in the Product Release Notes.
  • Linux: Refer to the Restricting Access to GPU Performance Counters section of the Linux driver Readme.

All of the vulnerabilities received CVSS V3 "base scores" to rank their severity. CVE-2018-6260 has a base score of 2.2, one scored 6.5, another 7.8 and four others had an 8.8 base score (lower is better). Nvidia said there aren't any mitigations for these flaws; defending against them requires the new drivers.

It's important to install these releases, then, even without all the flashy additions that usually inspire people to update their graphics setups. The new drivers that defend against these vulnerabilities are available now from Nvidia's website