NVIDIA issued a security update to fix three high and medium severity security issues in the NVIDIA GPU Display Driver that could lead to code execution, denial of service, escalation of privileges, or information disclosure on vulnerable Windows machines.

Even though to abuse the patched flaws would-be attackers require local user access, they could also exploit them by remotely dropping malicious tools through various other means on computers running an unpatched NVIDIA GPU Display Driver version.

NVIDIA advises all users to update their drivers as soon as possible by applying the security update available on the NVIDIA Driver Downloads page.

Security issue with high severity ratings

The fixed issues are tracked as CVE‑2019‑5675, CVE‑2019‑5676, and CVE‑2019‑5677 and come with base scores ranging from 5.6 to 7.7, with NVIDIA's risk assessment being based on the CVSS V3 standards.

By exploiting the issues that lead to information disclosure attackers can collect valuable information about computers running an outdated version of NVIDIA GPU Display Driver.

The flaws that lead to a denial of service state, could allow potential attackers to render vulnerable computers temporarily unusable, while, by abusing unpatched code execution vulnerabilities they can run commands or code on compromised machines.

Additionally, escalation of privileges flaws in the NVIDIA GPU Display Driver make it possible to elevate user privileges, gaining permissions beyond the ones initially granted by the system.

The software issues patched by NVIDIA in their May 2019 security update are listed below, together with full descriptions and the CVSS V3 Base Score assigned to each of them.

CVE Description Base Score CVE‑2019‑5675 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes, which may lead to denial of service, escalation of privileges, or information disclosure. 7.7 CVE‑2019‑5676 NVIDIA Windows GPU Display Driver installer software contains a vulnerability in which it incorrectly loads Windows system DLLs without validating the path or signature (also known as a binary planting or DLL preloading attack), leading to escalation of privileges through code execution. 7.2 CVE‑2019‑5677 NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DeviceIoControl where the software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer, which may lead to denial of service. 5.6

According to NVIDIA:

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

The NVIDIA GPU Display Driver - May 2019 security bulletin contains the full list of software products affected by the security issues patched by NVIDIA in their February 2019 Security Update.

Impacted NVIDIA software products

As the company further details, "Windows driver versions 430.23, 425.25, and 422.02 provided by computer hardware vendors also include the security update."

NVIDIA also added the following additional information related to the CVE-2019-5676 vulnerability:

If the GPU driver is installed on Windows 7, Microsoft KB2533623 must be installed as a prerequisite to addressing this CVE. This CVE does not affect driver packages provided by your hardware vendor and applies only to driver packages that are downloaded from the NVIDIA Driver Downloads public web page.

The CVE‑2019‑5676 DLL search order hijacking flaw in the NVIDIA Windows GPU Display Driver installer that could lead to DLL preloading attacks (also known as binary planting) was reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs, Łukasz 'zaeek', Yasin Soliman, Marius Mihai, and Stefan Kanthak.

During late-March, NVIDIA also released a security update for the NVIDIA GeForce Experience software for Windows which patched the CVE-2019-5674 high severity vulnerability reported by David Yesland of Rhino Security Labs that could have lead to code execution, denial of service, or escalation of privileges.