Security Advisory

NVIDIA Family Security Update Advisory

  • Oct 29 2024

Overview

 

An update has been released to address vulnerabilities in NVIDIA Product Line. Users of the affected versions are advised to update to the latest version.

 

Affected Products

 

CVE‑2024‑0117, CVE‑2024‑0118, CVE‑2024‑0119, CVE‑2024‑0120, CVE‑2024‑0121

 

GPU Display Driver

  • GeForce versions: ~ 566.03 (excluded) (Windows)
  • NVIDIA RTX, Quadro, NVS versions: ~ 566.03 (excluded) (Windows)
  • NVIDIA RTX, Quadro, NVS versions: ~ 553.24 (Excluded) (Windows)
  • NVIDIA RTX, Quadro, NVS versions: ~ 538.95 (excluded) (Windows)
  • Tesla versions: ~ 566.03 (excluded) (Windows)
  • Tesla versions: ~ 553.24 (excluded) (Windows)
  • Tesla versions: ~ 538.95 (excluded) (Windows)

 

NVIDIA vGPU Software

  • Guest driver versions: ~ 17.3 (inclusive) (Windows)
  • Guest driver versions: ~ 16.7 (inclusive) (Windows)

 

NVIDIA Cloud Gaming

  • Guest driver versions: ~ 560.94 (inclusive) (Windows)

 

 

CVE-2024-0126

 

GPU Display Driver

  • GeForce versions: ~ 566.03 (excluded) (Windows)
  • NVIDIA RTX, Quadro, NVS versions: ~ 566.03 (excluded) (Windows)
  • NVIDIA RTX, Quadro, NVS versions: ~ 553.24 (Excluded) (Windows)
  • NVIDIA RTX, Quadro, NVS versions: ~ 538.95 (excluded) (Windows)
  • Tesla versions: ~ 566.03 (excluded) (Windows)
  • Tesla versions: ~ 553.24 (excluded) (Windows)
  • Tesla versions: ~ 538.95 (excluded) (Windows)

 

  • GeForce versions: ~ 565.57.01 (excluded) (Linux)
  • GeForce versions: ~ 550.127.05 (excluded) (Linux)
  • GeForce versions: ~ 535.216.01 (excluded) (Linux)
  • NVIDIA RTX, Quadro, NVS versions: ~ 565.57.01 (excluded) (Linux)
  • NVIDIA RTX, Quadro, NVS versions: ~ 550.127.05 (excluded) (Linux)
  • NVIDIA RTX, Quadro, NVS versions: ~ 535.216.01 (excluded) (Linux)
  • Tesla versions: ~ 550.127.05 (excluded) (Linux)
  • Tesla versions: ~ 535.216.01 (excluded) (Linux)

 

NVIDIA vGPU Software

  • Virtual GPU Manager versions: ~ 17.3 (inclusive) (Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu)
  • Virtual GPU Manager versions: ~ 16.7 (inclusive) (Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu)
  • Virtual GPU Manager versions: ~ 17.3 (inclusive) (Azure Stack HCI)

 

NVIDIA Cloud Gaming

  • Virtual GPU Manager versions: ~ 560.35.03 (inclusive) (Red Hat Enterprise Linux KVM, VMware vSphere)

 

 

CVE‑2024‑0127, CVE‑2024‑0128

 

NVIDIA vGPU Software

  • Virtual GPU Manager versions: ~ 17.3 (inclusive) (Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu)
  • Virtual GPU Manager versions: ~ 16.7 (inclusive) (Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu)
  • Virtual GPU Manager versions: ~ 17.3 (inclusive) (Azure Stack HCI)

 

NVIDIA Cloud Gaming

  • Virtual GPU Manager versions: ~ 560.35.03 (inclusive) (Red Hat Enterprise Linux KVM, VMware vSphere)

 

CVE-2024-0105

  • ConnectX4 versions: ~ 12.28.2302 (excluded)
  • ConnectX4 LX versions: ~ xx.32.1900 (excluded)
  • ConnectX GA versions: ~ xx.41.1000 (excluded) (ConnectX 6, ConnectX 6 DX, ConnectX 6 LX, ConnectX 7)
  • ConnectX LTS22 versions: ~ xx.35.4030 (excluded) (ConnectX 5, ConnectX 6, ConnectX 6 DX, ConnectX 6 LX, ConnectX 7)
  • ConnectX LTS23 versions: ~ xx.39.3560 (excluded) (ConnectX 6, ConnectX 6 DX, ConnectX 6 LX, ConnectX 7)

 

CVE-2024-0105, CVE-2024-0106

  • BlueField 1 versions: ~ 18.31.1014 (excluded)
  • BlueField GA versions: ~ xx.41.1000 (excluded) (BlueField 2, BlueField 3)
  • BlueField LTS22 versions: ~ xx.35.4030 (excluded) (BlueField 2)
  • BlueField LTS23 versions: ~ xx.39.3560 (excluded) (BlueField 2, BlueField 3)

 

 

Resolved Vulnerabilities

 

Vulnerabilities in the user-mode layer of the NVIDIA GPU display driver that could allow out-of-bounds reads by an unauthorized user, resulting in code execution, denial of service, privilege escalation, information disclosure, or data manipulation (CVE-2024-0117, CVE-2024-0118, CVE-2024-0119, CVE-2024-0120, CVE-2024-0121, CVE-2024-0126)

Vulnerability in vGPU Manager in NVIDIA vGPU software that allows guest OS users to corrupt the guest OS kernel, resulting in improper input validation (CVE-2024-0127)

Vulnerability in Virtual GPU Manager in NVIDIA vGPU Software that could allow guest OS users to access global resources (CVE-2024-0128)

Vulnerability in NVIDIA ConnectX firmware that could allow an attacker to exploit a lack of privilege issue resulting in a denial of service, data corruption, and possibly information leakage (CVE-2024-0105)

A lack of privilege handling vulnerability in the host firmware of NVIDIA ConnectX BlueField DPUs (CVE-2024-0106)

 

Vulnerability Patches

 

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE‑2024‑0117, CVE‑2024‑0118, CVE‑2024‑0119, CVE‑2024‑0120, CVE‑2024‑0121

GPU Display Driver

  • GeForce version: 566.03 (Windows)
  • NVIDIA RTX, Quadro, NVS version: 566.03 (Windows)
  • NVIDIA RTX, Quadro, NVS version: 553.24 (Windows)
  • NVIDIA RTX, Quadro, NVS version: 538.95 (Windows)
  • Tesla version: 566.03 (Windows)
  • Tesla version: 553.24 (Windows)
  • Tesla version: 538.95 (Windows)

 

NVIDIA vGPU Software

  • Guest driver version: 17.4 (Windows)
  • Guest driver version: 16.8 (Windows)

 

NVIDIA Cloud Gaming

  • Guest driver version: 566.03 (Windows)

 

 

CVE-2024-0126

GPU Display Driver

  • GeForce version: 566.03 (Windows)
  • NVIDIA RTX, Quadro, NVS version: 566.03 (Windows)
  • NVIDIA RTX, Quadro, NVS version: 553.24 (Windows)
  • NVIDIA RTX, Quadro, NVS version: 538.95 (Windows)
  • Tesla version: 566.03 (Windows)
  • Tesla version: 553.24 (Windows)
  • Tesla version: 538.95 (Windows)

 

  • GeForce version: 565.57.01 (Linux)
  • GeForce version: 550.127.05 (Linux)
  • GeForce version: 535.216.01 (Linux)
  • NVIDIA RTX, Quadro, NVS version: 565.57.01 (Linux)
  • NVIDIA RTX, Quadro, NVS version: 550.127.05 (Linux)
  • NVIDIA RTX, Quadro, NVS version: 535.216.01 (Linux)
  • Tesla version: 550.127.05 (Linux)
  • Tesla version: 535.216.01 (Linux)

 

NVIDIA vGPU Software

  • Virtual GPU Manager version: 17.4 (Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu)
  • Virtual GPU Manager version: 16.8 (Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu)
  • Virtual GPU Manager version: 17.4 (Azure Stack HCI)

 

NVIDIA Cloud Gaming

  • Virtual GPU Manager version: 565.57.01 (Red Hat Enterprise Linux KVM, VMware vSphere)

 

 

CVE‑2024‑0127, CVE‑2024‑0128

NVIDIA vGPU Software

  • Virtual GPU Manager version: 17.4 (Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu)
  • Virtual GPU Manager version: 16.8 (Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu)
  • Virtual GPU Manager version: 17.4 (Azure Stack HCI)

 

NVIDIA Cloud Gaming

  • Virtual GPU Manager version: 565.57.01 (Red Hat Enterprise Linux KVM, VMware vSphere)

 

CVE-2024-0105

  • ConnectX4 version: 12.28.2302 or at least
  • ConnectX4 LX version: xx.32.1900 or at least
  • ConnectX GA version: xx.41.1000 or at least (ConnectX 6, ConnectX 6 DX, ConnectX 6 LX, ConnectX 7)
  • ConnectX LTS22 version: xx.35.4030 or at least (ConnectX 5, ConnectX 6, ConnectX 6 DX, ConnectX 6 LX, ConnectX 7)
  • ConnectX LTS23 version: xx.39.3560 or at least (ConnectX 6, ConnectX 6 DX, ConnectX 6 LX, ConnectX 7)

 

CVE-2024-0105, CVE-2024-0106

  • BlueField 1 version: Contact your NVIDIA Customer Program Manager.
  • BlueField GA version: xx.41.1000 or later version (BlueField 2, BlueField 3)
  • BlueField LTS22 version: xx.35.4030 or later version (BlueField 2)
  • BlueField LTS23 version: xx.39.3560 or later version (BlueField 2, BlueField 3)

 

 

Referenced Sites

 

[1] Security Bulletin: NVIDIA GPU Display Driver – October 2024

https://nvidia.custhelp.com/app/answers/detail/a_id/5586

[2] Security Bulletin: NVIDIA ConnectX and BlueField – October 2024

https://nvidia.custhelp.com/app/answers/detail/a_id/5562

Tags:

Previous Post

Next Post