SB2018032827 - Multiple vulnerabilities in NVIDIA Windows GPU Display Driver
Published: March 28, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2018-6247)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape due to NULL pointer dereference. A local attacker can gain root privileges.
2) Infinite loop (CVE-ID: CVE-2018-6253)
CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the DirectX and OpenGL Usermode drivers due to infinite loop. A local attacker can submit a specially crafted pixel shader and cause the service to crash.
3) Improper access control (CVE-ID: CVE-2018-6252)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause DoS condition on the target system.
The weakness exists in the kernel mode layer handler for DxgkDdiEscape due to an access to restricted functionality that is unnecessary for production usage. A local attacker can cause the service to crash.
4) Out-of-bounds write (CVE-ID: CVE-2018-6251)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists in the DirectX 10 Usermode driver due to writing to unallocated memory. A local attacker can submit a specially crafted pixel shader, cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
5) NULL pointer dereference (CVE-ID: CVE-2018-6250)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape due to NULL pointer dereference. A local attacker can gain root privileges.
6) Buffer access with incorrect length value (CVE-ID: CVE-2018-6248)
CWE-ID: CWE-805 - Buffer Access with Incorrect Length Value
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause DoS condition or gain elevated privileges on the target system.
The weakness exists in the kernel mode layer handler for DxgkDdiEscape due to buffer access with incorrect length value. A local attacker can cause the service to crash or gain root privileges.
7) NULL pointer dereference (CVE-ID: CVE-2018-6249)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to cause DoS condition or gain elevated privileges on the target system.
The weakness exists in kernel mode layer handler due to NULL pointer dereference. A local attacker can cause the service to crash or gain root privileges.
Remediation
Install update from vendor's website.