NVIDIA today put out an official Security Bulletin, noting multiple flaws found in their Windows and Linux drivers. The good news is that drivers are already out that fix the problems, which I'll detail below.
Here's all those that affect Linux, brace yourself, there's quite a few of them:
CVE‑2022‑34670 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure.
CVE‑2022‑42263 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an Integer overflow may lead to denial of service or information disclosure.
CVE‑2022‑34676 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read may lead to denial of service, information disclosure, or data tampering.
CVE‑2022‑42264 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause the use of an out-of-range pointer offset, which may lead to data tampering, data loss, information disclosure, or denial of service.
CVE‑2022‑34674 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where a helper function maps more physical pages than were requested, which may lead to undefined behavior or an information leak.
CVE‑2022‑34678 - NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged user can cause a null-pointer dereference, which may lead to denial of service.
CVE‑2022‑34679 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unhandled return value can lead to a null-pointer dereference, which may lead to denial of service.
CVE‑2022‑34680 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service.
CVE‑2022‑34677 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering.
CVE‑2022‑34682 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user can cause a null-pointer dereference, which may lead to denial of service.
CVE‑2022‑42257 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service.
CVE‑2022‑42265 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure or data tampering.
CVE‑2022‑34684 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an off-by-one error may lead to data tampering or information disclosure.
CVE‑2022‑42254 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, data tampering, or information disclosure.
CVE‑2022‑42258 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure.
CVE‑2022‑42255 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.
CVE‑2022‑42256 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow in index validation may lead to denial of service, information disclosure, or data tampering.
CVE‑2022‑34673 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an out-of-bounds array access may lead to denial of service, information disclosure, or data tampering.
CVE‑2022‑42259 - NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service.
There's also a few for NVIDIA VGPU and they affect Tesla too. There's also some that only affect Windows, this isn't a Linux-specific thing but a lot of them are just in their Linux drivers.
As mentioned, the good news is that drivers are already out that solve them. For GeForce users you want minimum driver versions 525.60.11, 515.86.01, 510.108.03, 470.161.03 or 390.157. For RTX, Quadro or NVS you want a minimum driver version of 525.60.11, 515.86.01, 510.108.03, 470.161.03 or 390.157. To put it very simply, if you're not using the very latest NVIDIA drivers in whatever series — update now, all previous versions are vulnerable to the drivers released on November 22nd.
Going by the bulletin page, the issues were public on November 28 but they've seemingly only just actually put out the security bulletin email.
Article taken from GamingOnLinux.com.
Last edited by fireplace on 2 December 2022 at 7:03 pm UTC
Quoting: fireplaceThis is all old stuff. NVidia (and most companies in general) publish these reports long after everything has been privately patched. Your software update may look like any other, but there is a good chance it has security fixes. That's why Torvalds doesn't like when people treat security fixes and bug fixes differently. They're all equally important :)I'm afraid it's not all old stuff. In this case previous drivers were compromised, as their bulletin points out you need all the latest drivers in each series, as all previous are vulnerable and the fixed drivers were only released on November 22nd so many people will be out of date.
Quoting: dpanterYikes.
Security issues are hardly uncommon for stuff like this, Linux users just tend to pay more attention. Kudos for Liam mentioning driver versions, not sure if NVIDIA did too or not. Usually stuff like this is when I have to explain to people what backports are and why their systems are okay.
Quoting: Liam DaweQuoting: fireplaceThis is all old stuff. NVidia (and most companies in general) publish these reports long after everything has been privately patched. Your software update may look like any other, but there is a good chance it has security fixes. That's why Torvalds doesn't like when people treat security fixes and bug fixes differently. They're all equally important :)I'm afraid it's not all old stuff. In this case previous drivers were compromised, as their bulletin points out you need all the latest drivers in each series, as all previous are vulnerable and the fixed drivers were only released on November 22nd so many people will be out of date.
The standard "Make sure to keep X up to date" has nothing to do whether any previous version was vulnerable. The CVEs are reported at a much later date by then. Updates will keep coming and new exploits will arise. But all of that doesn't matter. You should keep your software up to date regardless of whether it's a "security fix" or not. Bugs are bugs.
Last edited by fireplace on 2 December 2022 at 7:19 pm UTC
Quoting: fireplaceI really don't know what you're trying to get at. The security bulletin is clear about all prior versions to those listed in the article released on November 22nd as being vulnerable.Quoting: Liam DaweQuoting: fireplaceThis is all old stuff. NVidia (and most companies in general) publish these reports long after everything has been privately patched. Your software update may look like any other, but there is a good chance it has security fixes. That's why Torvalds doesn't like when people treat security fixes and bug fixes differently. They're all equally important :)I'm afraid it's not all old stuff. In this case previous drivers were compromised, as their bulletin points out you need all the latest drivers in each series, as all previous are vulnerable and the fixed drivers were only released on November 22nd so many people will be out of date.
The standard "Make sure to keep X up to date" has nothing to do whether any previous version was vulnerable. The CVEs are reported at a much later date by then. Updates will keep coming and new exploits will arise. But all of that doesn't matter. You should keep your software up to date regardless of whether it's a "security fix" or not. Bugs are bugs.
Quoting: Liam DaweQuoting: fireplaceI really don't know what you're trying to get at. The security bulletin is clear about all prior versions to those listed in the article released on November 22nd as being vulnerable.Quoting: Liam DaweQuoting: fireplaceThis is all old stuff. NVidia (and most companies in general) publish these reports long after everything has been privately patched. Your software update may look like any other, but there is a good chance it has security fixes. That's why Torvalds doesn't like when people treat security fixes and bug fixes differently. They're all equally important :)I'm afraid it's not all old stuff. In this case previous drivers were compromised, as their bulletin points out you need all the latest drivers in each series, as all previous are vulnerable and the fixed drivers were only released on November 22nd so many people will be out of date.
The standard "Make sure to keep X up to date" has nothing to do whether any previous version was vulnerable. The CVEs are reported at a much later date by then. Updates will keep coming and new exploits will arise. But all of that doesn't matter. You should keep your software up to date regardless of whether it's a "security fix" or not. Bugs are bugs.
What I'm trying to say is that all updates are of equal importance. This one isn't somehow special as nvidia probably addressed those privately even if it says that this latest one is the one with all the fixes.
Last edited by fireplace on 2 December 2022 at 7:29 pm UTC
For less technically competent people, like me, how likely are these vulnerabilities to be exploited?
I know there is some degree of difference in how realistic these can be, but nevertheless, I totally agree it's important to update.
Patreon
PayPal
See more from me