Ubuntu update for nvidia-graphics-drivers-390

1) Improper access control

EUVDB-ID: #VU52488

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-1076

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the kernel mode layer (nvlddmkm.sys or nvidia.ko). A local user can bypass implemented security restrictions, leading to denial of service, information disclosure or data corruption.

Mitigation

Update the affected package nvidia-graphics-drivers-390 to the latest version.

Vulnerable software versions

Ubuntu: 18.04 - 21.04

xserver-xorg-video-nvidia-390 (Ubuntu package): before 390.143-0ubuntu0.20.10.1

xserver-xorg-video-nvidia-450-server (Ubuntu package): before 450.119.03-0ubuntu1

xserver-xorg-video-nvidia-460-server (Ubuntu package): before 460.73.01-0ubuntu1

xserver-xorg-video-nvidia-450 (Ubuntu package): before 450.119.03-0ubuntu1

xserver-xorg-video-nvidia-460 (Ubuntu package): before 460.73.01-0ubuntu1

xserver-xorg-video-nvidia-418-server (Ubuntu package): before 418.197.02-0ubuntu1

External links

http://ubuntu.com/security/notices/USN-4935-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Release of invalid pointer or reference

EUVDB-ID: #VU52489

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-1077

CWE-ID: CWE-763 - Release of invalid pointer or reference

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to the affected software uses a reference count to manage a resource that is incorrectly updated. A local user can cause a denial of service condition in th target system.

Mitigation

Update the affected package nvidia-graphics-drivers-390 to the latest version.

Vulnerable software versions

Ubuntu: 18.04 - 21.04

xserver-xorg-video-nvidia-390 (Ubuntu package): before 390.143-0ubuntu0.20.10.1

xserver-xorg-video-nvidia-450-server (Ubuntu package): before 450.119.03-0ubuntu1

xserver-xorg-video-nvidia-460-server (Ubuntu package): before 460.73.01-0ubuntu1

xserver-xorg-video-nvidia-450 (Ubuntu package): before 450.119.03-0ubuntu1

xserver-xorg-video-nvidia-460 (Ubuntu package): before 460.73.01-0ubuntu1

xserver-xorg-video-nvidia-418-server (Ubuntu package): before 418.197.02-0ubuntu1

External links

http://ubuntu.com/security/notices/USN-4935-1

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.