GeForce Driver Updates Contain Security Fixes
Subject: Graphics Cards | February 28, 2019 - 11:25 PM | Scott Michaud
Tagged: nvidia, graphics drivers, security
Normally, when we discuss graphics drivers, there are a subset of users that like to stay on old versions. Some have older hardware and they believe that they will get limited benefits going forward. Others encounter a bug with a certain version and will refuse to update until it is patched.
In this case – you probably want to update regardless.
NVIDIA has found eight security vulnerabilities in their drivers, which have been corrected in their latest versions. One of them also affects Linux... more on that later.
On Windows, there are five supported branches:
- Users of R418 for GeForce, Quadro, and NVS should install 419.17.
- Users of R418 for Tesla should install 418.96.
- Users of R400 for Quadro and NVS should install 412.29.
- Users of R400 for Tesla should install 412.29.
- Users of R390 for Quadro and NVS should install 392.37.
Basically, you should install 419.17 unless you are using professional hardware.
One issue is being likened to Meltdown and Spectre although it is not quite the same. In those cases, the exploit took advantage of hardware optimizations leak system memory. In the case of CVE-2018-6260, however, the attack uses NVIDIA’s performance counters to potentially leak graphics memory. The difference is that GPU performance counters are a developer tool, used by applications like NVIDIA Nsight, to provide diagnostics. Further, beyond targeting a developer tool that can be disabled, this attack also requires local access to the device.
Linux users are also vulnerable to this attack (but not the other seven):
- Users of R418 for GeForce, Quadro, and NVS should install 418.43.
- Users of R418 for Tesla should install 418.39.
- Users of R400 for GeForce, Quadro, NVS, and Tesla should install 410.104.
- Users of R390 for GeForce, Quadro, NVS, and Tesla should install 390.116.
- Users of R384 for Tesla should install 384.183.
Whether on Windows or Linux, after installing the update, a hidden option will allow you to disable GPU performance counters unless admin credentials are provided. I don’t know why it’s set to the insecure variant by default… but the setting can be toggled in the NVIDIA Control Panel. On Windows it’s Desktop then Enable Developer Settings then Manage GPU Performance Counters under Developer then Restrict access to the GPU counters to admin users only. See the driver release notes (especially the "Driver Security" section) for more info.
The main thing to fix is the other seven, however. That just requires the driver update. You should have received a notification from GeForce Experience if you use it; otherwise, check out NVIDIA’s website.