SB2016082201 - Multiple vulnerabilities in NVIDIA drivers

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016082201

SB2016082201 - Multiple vulnerabilities in NVIDIA drivers

Published: August 22, 2016

Security Bulletin ID SB2016082201
Severity
Low
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Medium 17% Low 83%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Privilege Escalation (CVE-ID: CVE-2016-5852)

The vulnerability allows a local authenticated user to obtain elevated privileges on the target system.

The vulnerability exists due to improper input validation in GFE GameStream and NVTray Plugin. A local user can bypass security restrictions and obtain elevated privileges on the system.

Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system and cause arbitrary code execution.

2) Denial of service (CVE-ID: CVE-2016-4959)

The vulnerability allows a remote user to cause DoS conditions on the target system.
The weakness is caused by improper input validation in Remote Desktop component. Attackers can trigger a blue screen crash and kernel null pointer dereference.
Successful exploitations of the vulnerability may result in denial of service on the vulnerable system.

3) Privilege Escalation (CVE-ID: CVE-2016-3161)

The vulnerability allows a local authenticated user to obtain elevated privileges on the target system.

The vulnerability exists due to improper input validation in GFE GameStream and NVTray Plugin. A local user can bypass security restrictions and obtain elevated privileges on the system.

Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system and compromise the system completely.



4) Denial of Service (CVE-ID: CVE-2016-4961)

The vulnerability allows a local authenticated attacker to trigger DoS conditions on a target system.
The weakness is caused by improper input validation in NVStreamKMS.sys API layer. By impying specially crafted parameters a malicious user can bypass security limitations and crash the vulnerable service.
Successful exploitation of the vulnerability may result in denial of service on the affected system.


5) Denial of Service (CVE-ID: CVE-2016-5025)

The vulnerability allows a local authenticated attacker to trigger DoS conditions on a target system.
The weakness is caused by improper input validation in NVAPI support layer. By impying specially crafted data a malicious user can bypass security limitations and crash the vulnerable service.
Successful exploitation of the vulnerability may result in denial of service on the affected system.


6) Privilege escalation (CVE-ID: CVE-2016-4960)

The vulnerability allows a local authenticated user to obtain elevated privileges.

The vulnerability exists due to improper input validation in NVIDIA NVStreamKMS.sys service component. By implying specially crafted data a local user can bypass security limitations and obtain elevated privileges on the system.

Successful exploitation of this vulnerability will allow the local attacker to obtain elevated privileges on vulnerable system and compromise the system completely.


Remediation

Install update from vendor's website.

References