NVIDIA has released a critical security updates for its vGPU software, addressing multiple vulnerabilities that could potentially lead to serious security breaches.
The vulnerabilities, identified as CVE-2024-0127 and CVE-2024-0128, have been found in the GPU kernel driver and Virtual GPU Manager, affecting all supported hypervisors.
We have also reported today about a NVIDIA critical security update for its GPU Display Driver to fix vulnerabilities that could enable remote code execution, privilege escalation, and other serious risks on Windows and Linux systems.
Key Vulnerabilities
- CVE-2024-0127: This vulnerability exists in the GPU kernel driver of the vGPU Manager. It allows a user of the guest OS to exploit improper input validation, potentially leading to code execution, privilege escalation, data tampering, denial of service, and information disclosure. It has a base score of 7.8, rated as High severity.
- CVE-2024-0128: Found in the Virtual GPU Manager, this vulnerability enables a guest OS user to access global resources, risking information disclosure and privilege escalation. It carries a base score of 7.1 and is also rated High.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
Affected Software and Updates
The vulnerabilities affect various components across different operating systems:
vGPU Software Components
| CVEs Addressed | Component | OS | Affected Versions | Updated Version |
|---|---|---|---|---|
| CVE‑2024‑0117 to CVE‑2024‑0121 | Guest driver | Windows | Up to 17.3 (552.74) and 16.7 (538.78) | 17.4 (553.24) and 16.8 (538.95) |
| N/A | Guest driver | Linux | Up to 17.3 (550.90.07) and 16.7 (535.183.06) | 17.4 (550.127.05) and 16.8 (535.216.01) |
| CVE‑2024‑0126 to CVE‑2024‑0128 | Virtual GPU Manager | Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu | Up to 17.3 (550.90.05) and 16.7 (535.183.04) | 17.4 (550.127.06) and 16.8 (535.216.01) |
| CVE‑2024‑0126 to CVE‑2024‑0128 | Virtual GPU Manager | Azure Stack HCI | Up to 17.3 (552.55) | 17.4 (553.20) |
vGPU Software Components
- Guest Driver for Windows: Updates are available for versions up to 17.3 and 16.7.
- Guest Driver for Linux: Updates are available for versions up to 17.3 and 16.7.
- Virtual GPU Manager: Updates are necessary for Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu, and Azure Stack HCI.
Cloud Gaming Software
| CVEs Addressed | Component | OS | Affected Versions | Updated Version |
|---|---|---|---|---|
| CVE‑2024‑0117 to CVE‑2024‑0121 | Guest driver | Windows | Up to September 2024 release (560.94) | October 2024 Release (566.03) |
| N/A | Guest driver | Linux | Up to September 2024 release (560.35.03) | October 2024 Release (565.57.01) |
| CVE‑2024‑0126 to CVE‑2024‑0128 | Virtual GPU Manager | Red Hat Enterprise Linux KVM, VMware vSphere | Up to September 2024 release (560.35.03) | October 2024 Release (565.57.01) |
Guest Driver for Windows and Linux: Updates required for all versions up to the September 2024 release.
Mitigations and Recommendations
To mitigate these vulnerabilities, NVIDIA recommends users download the latest updates through the NVIDIA Licensing Portal. Users are also encouraged to upgrade any earlier branch releases that might be affected.
NVIDIA thanks Piotr Bania from Cisco Talos for reporting several vulnerabilities (CVE‑2024‑0117 through CVE‑2024‑0121), and to Maxim Mints and Austin Herring for CVE‑2024‑0126.
For further details on these updates or to report potential security issues, visit the NVIDIA Product Security page.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!