One of NVIDIA’s graphics drivers for Linux and Windows systems contains several vulnerabilities that could be used by an attacker to execute arbitrary code and, in some cases, perform guest-to-host escapes on systems running virtual machines.
The flaws are in the NVIDIA D3D10 graphics driver and the company has released an update to address them, along with several other less serious bugs. Researchers with Cisco Talos discovered the four code-execution vulnerabilities, one of which affect both Linux and Windows systems, while the fourth only affects Windows machines.
“An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file,” the Talos advisory says.
“These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments. We specifically tested these issues with a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host.”
The cross-platform bug lies in the kernel mode layer, while the Windows-only flaws are in the DirectX11 user mode driver. The most serious flaw is a memory corruption vulnerability in the kernel mode layer.
“NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where an unprivileged regular user on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components,” the NVIDIA advisory says.
The Windows-only bugs are in three separate shader functions in the driver.
“NVIDIA GPU Display Driver for Windows contains a vulnerability in the DirectX11 user mode driver (nvwgf2um/x.dll), where an unauthorized attacker on the network can cause an out-of-bounds write through a specially crafted shader, which may lead to code execution to cause denial of service, escalation of privileges, information disclosure, and data tampering. The scope of the impact may extend to other components,” the advisory says.
The Talos researchers warn that the Windows-only bug (CVE-2022-28182) could be triggered in a couple of different ways.
“This vulnerability potentially could be triggered from guest machines running virtualization environments (i.e. VMware, qemu, VirtualBox etc.) in order to perform guest-to-host escape, as it was demonstrated before (TALOS-2018-0533, TALOS-2018-0568, etc.). Theoretically this vulnerability could be also triggered from web browser (using webGL and webassembly),” the Talos advisory says.