Nvidia releases new Unix driver to fix high-risk privilege escalation vulnerability

Nvidia Unix driver 304.32 addresses vulnerability that can grant local users root access

Lucian Constantin (IDG News Service)
06 August, 2012 14:12
Comments

Graphics chip maker Nvidia released a new version of its Unix driver on Friday in order to address a high-risk vulnerability that can be exploited by local users to gain root privileges on Linux systems.

The privilege escalation vulnerability fixed in the new 304.32 version of the Nvidia Unix driver 304.32 was publicly disclosed last Wednesday by Dave Airlie, a principal engineer in the graphics team at Linux vendor Red Hat.

The public disclosure was done at the request of an anonymous researcher who originally discovered the flaw and after Nvidia failed to respond to a private report about the vulnerability, Airlie said in an email sent to the Full Disclosure mailing list.

Airlie's message also included proof-of-concept exploit code created by the anonymous researcher to demonstrate the vulnerability.

"We contacted Nvidia via their advertised security alias in June," Airlie said Friday via email. "It appears there were some process issues on their end that may have meant our email didn't get noticed."

The vulnerability is present in the Nvidia Unix driver 295.59 and earlier versions, but the proof-of-concept exploit was designed for 64-bit Linux systems.

On Friday, Nvidia confirmed the existence of the vulnerability and released version 304.32 of the Nvidia Unix driver for Linux, FreeBSD and Solaris operating systems in order to address it. The new version also includes other changes that the company believes will prevent similar exploits in the future.

"Because any user with read and write access to the NVIDIA device files (which is needed to execute applications that use the GPU) could potentially exploit this vulnerability to gain access to arbitrary system memory, this vulnerability is classified as high risk by NVIDIA," the company said in a technical support article.

However, despite the new release, the company still offers version 295.59 as primary download on its Unix drivers page.

In order to address the problem for users who can't or don't want to upgrade to the new driver version, the company also released a patch that can be applied manually to older drivers. Deploying it requires installing an older patch for a different vulnerability first.

However, unlike the new 304.32 version of the driver, the manual patch will break compatibility with the Linux CUDA debugger, a tool used by developers to debug code written for Nvidia's CUDA hardware acceleration technology.

Linux vendors might release patched versions of older NVIDIA drivers that have been tested with different versions of their Linux distributions as well. These can be obtained through their respective update channels.

"What are the methods these SMEs have used to ascertain that additional ..."

Social media boosts revenue for SMEs: MYOB research
"Djinn, did you just skip the intro paragraph?"

Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4
""5 Resons Why I Choose the GS4" is a better title, because ..."

Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4
"It is much easier to become a manager in IT than it ..."

Solving the skills conundrum – part 1
"1. The HTC has a better low light camera and the lens ..."

Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4

Latest Blog Posts

Whitepapers

Moving to a Private Cloud? Infrastructure Really Matters!
The Cloud isn’t about locality. It is about quality of service delivery, cost, and whether the services consumed satisfy our objectives. For the enterprise, you need to select the right QoS to mitigate the inherent risks or you face the problem of losing data and the ability to execute operationally. Read on.

Learn more »
Advanced Targeted Attacks
The new threat landscape has changed. Cybercriminals are aggressively pursuing valuable data assets, such as financial transaction information, product design blueprints, user credentials to sensitive systems, and other intellectual property. Simply put, the cyber offense has outpaced the defensive technologies used by most companies today. Find out more on how to protect against the next generation of cyber-attacks.

Learn more »
Endpoint Protection Overview
With the exponential growth and sophistication of malware today, the security industry can no longer afford to ‘bury its head in the sand’. The bottom line is that traditional endpoint security protection is now ineffective due to the sheer volume, quality, and complexity of malware. This paper looks at this problem and how Webroot, by going back to the drawing board on countering malware threats, is revolutionising endpoint protection and solving the issues that hinder existing endpoint security solutions. Download now.

Learn more »

All whitepapers

Most Read
Most Commented

Get exclusive access to Invitation only events CIO, reports & analysis.

Latest Jobs

Zones

Featured Whitepapers

Six Reasons to Empower Your SharePoint Citizen Developers

More and more business applications are being created by “citizen developers” - end users who are not IT developers but who create solutions for themselves and their groups. This white ...

Recent comments

"What are the methods these SMEs have used to ascertain that additional ..."
Social media boosts revenue for SMEs: MYOB research
"Djinn, did you just skip the intro paragraph?"
Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4
""5 Resons Why I Choose the GS4" is a better title, because ..."
Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4
"It is much easier to become a manager in IT than it ..."
Solving the skills conundrum – part 1
"1. The HTC has a better low light camera and the lens ..."
Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4

Follow CIO

Market Place

Now out of the office never means out of the loop. Office 365 – your complete office in the cloud.

Security 2013 Exhibition: 160 brands, new innovations, expert speakers & more, register now.

Deploying mobility worthwhile challenge hear what CIOs have to say.. Read more

SolveXia’s key tips for CIOs seeking improved productivity through automation. Click here

Latest Jobs

Subscribe to CIO

Critical. Authoritative. Strategic. CIO magazine addresses the issues vital to the success of IT and business executives. Solutions-oriented editorial provides a greater understanding of the role IT plays in achieving corporate goals. Subscribe to the print edition today.

Download OPML file for import with all IDG RSS feeds

CSO Online Data Security Briefing

Nvidia releases new Unix driver to fix high-risk privilege escalation vulnerability

Recommended

Does encryption really shield you from government's prying ...

Google Glass apps for enterprises coming by early ...

Latest iPhone 6 concept design inspired by Apple ...

Debating the digital economy

Why the fuss about big data?

Homeless multinationals and taxing decisions

Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4

10 Tips for Dealing with a Bully Boss

5 open source help desk apps to watch

How to define the scope of a project

Australia suspected to have PRISM data: Ludlam

Samsung Galaxy S4 vs. HTC One: 5 Reasons to Choose the GS4

Online shopping reaches mainstream status

Australia Post’s mail business to lose $200 million this year

Solving the skills conundrum – part 1

Why Agile Isn't Working: Bringing Common Sense to Agile Principles

Symantec Business Critical Virtualisation Content Zone

BlackBerry Enterprise Service 10 Zone

HP Tech Connect Resource Centre

Six Reasons to Empower Your SharePoint Citizen Developers

Enterprise Mobility Management: Embracing BYOD Through Secure App and Data Delivery

Legal Compliance in Electronic Record Keeping

The IT Priorities for 2013

Forrester: The Three Stages of Cloud Economics