Wednesday, June 24, 2020

Vulnerability Spotlight: Denial-of-service vulnerability in NVIDIA driver

Piotr Bania of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Executive summary

The NVWGF2UMX_CFG.DLL driver contains a denial-of-service vulnerability that an attacker could use to disrupt processes over a virtual machine. An adversary could exploit this bug by

providing a specially crafted pixel shader over VMware guests and VMware hosts, leading to VMware to process crash on the host machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with NVIDIA and VMware to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

NVIDIA NVWGF2UMX_CFG.DLL shader functionality denial-of-service vulnerability (TALOS-2019-0971/CVE-2020-5965)

An exploitable denial of service vulnerability exists in NVIDIA NVWGF2UMX_CFG.DLL (version 26.21.14.4128 and 26.21.14.4166 on NVIDIA D3D10 and version 441.28 and 441.66 on NVIDIA Quadro K620). A specially crafted pixel shader can cause denial-of-service issues. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest and VMware hosts will be affected (leading to vmware-vmx.exe process crash on host).

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that TALOS-2019-0971 affects VMware Workstation 15 (15.5.1 build-15018445) with Windows 10 x64 as guest VM, the Nvidia NVWGF2UMX_CFG.dll driver (version 26.21.14.4128 and 26.21.14.4166), NVIDIA D3D10 driver, version 441.28 and 441.66 on NVIDIA Quadro K620.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52495, 52496

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.