[SOLVED] NVIDIA Issues Warning to Upgrade Drivers Due to Security Patches. !

[Metal Messiah.]

Hello,

Just some heads-up. If you are currently using an NVIDIA GPU, then update your drivers asap. Nvidia has issued a new security bulletin which warns their users that their Geforce, Quadro and Tesla graphics cards could be leaving their systems vulnerable to five recently discovered security exploits.

NVIDIA has found a total of five security vulnerabilities with its Windows drivers for GeForce, Quadro and Tesla lineup of graphics cards. These new security risks are labeled as very dangerous and have the potential to cause local code execution, denial of service, or escalation of privileges, unless the system is updated. Users are advised to update their Windows drivers as soon as possible in order to stay secure and avoid all of these vulnerabilities.

Exploits are only accessible on Windows based OSes, starting from Windows 7 to Windows 10. However, one fact that's reassuring is that in order to exploit a system, attacker must have local access to the machine that is running NVIDIA GPU, as remote exploit can not happen.

https://nvidia.custhelp.com/app/answers/detail/a_id/4841/kw/Security Bulletin

The vulnerabilities are rated using CVSS V3 base scoring system and they are arranged as following:

• CVE-2019-5683 - Most dangerous of all the vulnerabilities. This exploits uses driver's trace logger weakness to create hard links, that software does not check. Attacker could create any link without getting warned by the system and force local code execution, denial of service or escalation of privileges. It is rated with a score of 8.8.
• 
  
• CVE-2019-5684 - Vulnerability which uses carefully crafted shaders in order to cause out of bounds access to input texture array, possibly leading to denial of service or code execution. It is rated with a score of 7.8
• 
  
• CVE-2019-5685 - Vulnerability which also uses carefully crafted shaders in order to cause out of bounds access to shader local temporary array, possibly leading to denial of service or code execution as well. It is rated with a score of 7.8
• 
  
• CVE-2019-5686 - Vulnerability hidden in kernel mode layer handler for DxgkDdiEscape, which uses different data structures and DirectX API functions that are not always valid, leading to denial of service if the API function or data structure is incorrect. It is rated with a score of 5.6.
• 
  
• CVE-2019-5687 - Least dangerous exploit of all five. It is also a problem in kernel model layer handler for DxgkDdiEscape, which may put system at risk if incorrect default permissions are used for an object. This can lead to information disclosure or denial of service. It is rated with a score of 5.2.

 

[gn842a]

There have been quite a few 'the sky is falling' editorials about Intel's security flaws...

I know just yesterday I read about where someone's Intel system was massively compromised when....oh, wait, there have not been any actual breaches due to these flaws, most are just hypothetical weaknesses/vulnerabilities, with no actual confirmed breaches....

Actually if the hacks are difficult you won't hear a THING about data losses due to these vulnerabilities because most of the hacking will be done by experts in the pay of corporations or governments and they won't breathe a word of what they're up to. The next level down of data pirates, the ones who want credit card information and the like, their hacks get known faster because you can pillage only so many credit cards before someone figures it out.

Greg N

 

[NightHawkRMX]

I agree and can't stress enough:
If a hacker is skilled enough to discover these flaws they likely are skilled enough to steal data without people being alerted. So there is a chance that data has been stolen, but you wouldn't know.

 

[Metal Messiah.]

I'm not sure this is good news. I hope it is. MS has a talent for creating new problems with each fix.

Unfortunately, MS is again going to mess up something, by releasing, and pulling back patches/updates for Win 10 OS. I'm skeptical whether we are going to actually get a very STABLE Win 10 OS build.

Each new update/patch has also broken things, rather than fixing them. IMO, Windows 10 OS has been very finicky since the beginning. Even after so many years, the Windows is still plagued with NEW issues.

Thankfully, my Win 7 OS copy is still rocking on my PC.

What I want to know is whether, when I go to MSI for drivers, they will be latest and greatest and take into account the warnings posted here?

What do you actually mean by this ? Are you guys talking about updating the GPU drivers ?

 

[gn842a]

Unfortunately, MS is again going to mess up something, by releasing, and pulling back patches/updates for Win 10 OS. I'm skeptical whether we are going to actually get a very STABLE Win 10 OS build.

Each new update/patch has also broken things, rather than fixing them. IMO, Windows 10 OS has been very finicky since the beginning. Even after so many years, the Windows is still plagued with NEW issues.

Metal M: I had to read this several times because I thought I wrote it. That's how much I agree. There are some grizzled veterans of these fora, however, who staunchly defend Windows 10. --GN

 

[NightHawkRMX]

Windows updates haven't caused much hassle for me, however they always seem to cause issues with other ppl.

 

[gn842a]

What do you actually mean by this ? Are you guys talking about updating the GPU drivers ?

Yes I am. I am specifically asking you, and anyone else, whether the NVIDIA gpu I'm getting this week, which is MSI 1660 TI, will have the appropriate drivers to fix this problem when I go to the MSI site to download the GPU drivers. Or whether that is some months off.

I have the option of continuing to use my RX 590 but it is very buggy. I have posted a great deal on this and no need to repeat myself here.

thanks,
Greg N

 

[NightHawkRMX]

Yes I am. I am specifically asking you, and anyone else, whether the NVIDIA gpu I'm getting this week, which is MSI 1660 TI, will have the appropriate drivers to fix this problem when I go to the MSI site to download the GPU drivers. Or whether that is some months off.

I have the option of continuing to use my RX 590 but it is very buggy. I have posted a great deal on this and no need to repeat myself here.

thanks,
Greg N

Go to nvidias website and download the latest 1660ti driver. Problem solved. Flaws patched.

 

[gn842a]

Go to nvidias website and download the latest 1660ti driver. Problem solved. Flaws patched.

Well that's what I'll do. But it won't be "problem solved." It will be "problem solved more or less as understood by the two or three guys working on this problem."

Greg N

 

[Phaaze88]

YES. I'm waiting for ZEN3 to arrive. Things will improve with the next-gen AMD architecture......By the way, I like your PC/RIG.....Great setup, but very expensive, lol !! How is your rig/system holding up, by the way, in GAMES and other tasks ?

https://www.userbenchmark.com/UserRun/19115085
Although it's userbenchmark, it should still give you an idea of where this PC stands.
There's still room for further tuning, so...

 

[Metal Messiah.]

https://www.userbenchmark.com/UserRun/19115085
Although it's userbenchmark, it should still give you an idea of where this PC stands.
There's still room for further tuning, so...

Excellent ! That PC is performing way above expectations. I see you are also using an NVMe PCIe M.2 SSD as well ! My "potato" RIG cannot even close to those results, haha !

BTW, SSD prices are also slowly dropping, including both SATA and M.2 interface models, thanks to the NAND market.

https://www.tomshardware.com/news/ssds-cheaper-than-ever,39862.html

 

[NightHawkRMX]

Excellent ! That PC is performing way above expectations. I see you are also using an NVMe PCIe M.2 SSD as well ! My "potato" RIG cannot even close to those results, haha !

BTW, SSD prices are also slowly dropping, including both SATA and M.2 interface models, thanks to the NAND market.

https://www.tomshardware.com/news/ssds-cheaper-than-ever,39862.html

Your "Potato" rig is still better than mine lol.

I have considered upgrading to a 1tb 660p, but i will have a ryzen 5 before then

 

[Phaaze88]

Excellent ! That PC is performing way above expectations. I see you are also using an NVMe PCIe M.2 SSD as well ! My "potato" RIG cannot even close to those results, haha !

BTW, SSD prices are also slowly dropping, including both SATA and M.2 interface models, thanks to the NAND market.

https://www.tomshardware.com/news/ssds-cheaper-than-ever,39862.html

Yea, I actually want to replace the 1TB 850 evo with one of Samsung's 4GB models, but holy moly... their 4GB evo and pro models are about $500 and $1000 respectively!
Naturally, I'm aiming for the evo, but that's still a tough buy! I was already planning to do a full custom loop on this build later this year... Maybe prices will get better around Christmas???
shrugs

 

[Metal Messiah.]

@Phaaze88, I want an 8GB PRO Model pretty bad. For OS even a cheap 4GB might do the job, but I want to install few games on the SSD, and those AAA games eat up a lot of disk space....

But I think we can't get an 8GB, or even a 16GB consumer SSD that cheap. Very expensive. Are you going to buy one of the PRO Models from SAMSUNG ?

Maybe prices will get better around Christmas???

I too hope for the best. The NAND/V-NAND market is actually fluctuating a lot these days though....

@remixislandmusic, ....Nah, your PC is also good. Except for the processor, which is slightly weak, though it shouldn't pose any problem I suppose ?

Okay, my i7 4790 is better when paired with an RX 480, but my PC is stuttering pretty bad these days. It even hangs for some time. Not sure what is causing this. I just hope my GPU isn't showing any signs of age though.

My PSU is Cooler Master VS 850.

 

[Phaaze88]

@Phaaze88, I want an 8GB PRO Model pretty bad. For OS even a cheap 4GB might do the job, but I want to install few games on the SSD, and those AAA games eat up a lot of disk space....
But I think we can't get an 8GB, or even a 16GB consumer SSD that cheap. Very expensive. Are you going to buy one of the PRO Models from SAMSUNG ?

I don't NEED the pro model, but the extra endurance is just a 'nice to have'.
OMG... I just realized in my last post that I was looking into getting either Samsung's 4GB EVO or PRO SSDs...
I meant their 4TB models which are priced $500(EVO) and $1000(PRO). That's a HUGE oversight!

But no, I'll just wait(and hope) for the 4TB EVO to fall in price. It probably won't though, as it's price per GB is already less than the lower capacity models.
There's no bloody way I'm paying another $500 just for extra endurance. But then again, the PRO models are marketed at different consumers.

I too hope for the best. The NAND/V-NAND market is actually fluctuating a lot these days though....

I'm keeping an eye out. I may jump on it at the first sign of a discount, LOL!

 

[digitalgriffin]

I'm not sure about the GPU side of AMD's lineup, but their CPUs are totally based on a whole new Architecture which isn't prone to most of the exploits, unlike INTEL's CPUs. They are based on a whole new Architecture, though some of their CPUs are slightly vulnerable to SPECTRE, with speculative execution .

But for AMD CPUs, I think thus far, no real-world attacks that leverage Spectre, Meltdown, L1TF, ZombieLoad, Spoiler, or any of the other named attacks have been observed.

I think differences between manufacturers (e.g., Intel vs. AMD) and architectures (e.g., x86-64 vs. Arm) make some processors vulnerable to more variants than others. ARM-based chips aren't impacted by the Meltdown-based attacks though. They are, however, susceptible to all five that are based on Spectre.

As you can see from this chart, that AMD CPUs have architecture fixes.

Moreover, even though earlier AMD had claimed that its CPUs were not exposed to Meltdown-class vulnerabilities, researchers discovered a variation of Meltdown (called Meltdown-BR) that was perfectly operational with AMD CPUs. So at this point, the CPUs of all three of the largest global CPU vendors — AMD, ARM, and Intel — are susceptible to both Meltdown and Spectre. Well, at least to some of the variations from both these families

Intel 9 series and AMD Ryzen 3000 series are supposed to have mitigations built in IIRC. However with the series of new spectre variants (Side channel physics exploits on SMT/HT cores) popping up on a regular basis, I don't think a fix can be guaranteed forever. The only solution is to encrypt each execution stream, so injection would be the same as writing non-encrypted data to an encrypted drive. At best you would get a crash.

 

[Metal Messiah.]

I just realized in my last post that I was looking into getting either Samsung's 4GB EVO or PRO SSDs...
I meant their 4TB models which are priced $500(EVO) and $1000(PRO). That's a HUGE oversight!

But no, I'll just wait(and hope) for the 4TB EVO to fall in price. It probably won't though, as it's price per GB is already less than the lower capacity models.

OKAY. Yes, the 4TB is obviously expensive. Can't comment on any price drop though, in near future. I think 500GB and above SSDs would see only a slight price drop in coming months/years.

Intel 9 series and AMD Ryzen 3000 series are supposed to have mitigations built in IIRC. However with the series of new spectre variants (Side channel physics exploits on SMT/HT cores) popping up on a regular basis, I don't think a fix can be guaranteed forever. The only solution is to encrypt each execution stream, so injection would be the same as writing non-encrypted data to an encrypted drive. At best you would get a crash.

Yeah, I think at some level those CPUs have a built-in mitigation, but the architecture is still prone to side channel and other attacks. But I think no architecture is future-proof though.

 

[Metal Messiah.]

On some other news, but slightly related.

Cybersecurity research firm Eclypsium published a report titled "Screwed Drivers," chronicling a critical flaw in the design of modern device driver software from over 40 hardware manufacturers, which allows malware to gain privilege from Ring 3 to Ring 0 (unrestricted hardware access).

The long list of manufacturers publishing drivers that are fully signed and approved by Microsoft under its WHQL program, includes big names such as Intel, AMD, NVIDIA, AMI, Phoenix, ASUS, Toshiba, SuperMicro, GIGABYTE, MSI, and EVGA. Many of the latter few names are motherboard manufacturers who design hardware monitoring and overclocking applications that install kernel-mode drivers into Windows for Ring-0 hardware-access.

As part of its study, Eclypsium chronicles three classes of privilege-escalation attacks exploiting device drivers, RWEverything, LoJax (first UEFI malware), SlingShot. At the heart of these are the exploitation of the way Windows continues to work with drivers with faulty, obsolete, or expired signing certificates.

Eclypsium hasn't gone into the nuts-and-bolts of each issue, but has briefly defined the three in a DEF CON presentation. The firm is working by several of the listed manufacturers on mitigations and patches, and is under embargo to put out a whitepaper.

RWEverything is introduced by Eclypsium as a utility to access all hardware interfaces via software. It works in user-space, but with a one-time installed signed RWDrv.sys kernel-mode driver, acts as a conduit for malware to gain Ring-0 access to your machine. LoJax is an implant tool that uses RWDrv.sys to gain access to the SPI flash controller in your motherboard chipset, to modify your UEFI BIOS flash. Slingshot is an APT with its own malicious driver that exploits other drivers with read/write MSR to bypass driver signing enforcement to install a rootkit.

Screwed Drivers - Signed, Sealed, Delivered - Eclypsium | Supply Chain Security for the Modern Enterprise

Download the PDF > Common Design Flaw In Dozens of Device Drivers Allows Widespread Windows Compromise Listen in as Eclypsium researchers Jesse Michael and Mickey Shkatov discuss this research, and subsequent developments in a recorded webinar. As part of Eclypsium’s ongoing hardware and...

eclypsium.com

EDIT: Didn't know before that even TOM HW has covered this news:

https://www.tomshardware.com/news/screwed-drivers-report-amd-intel-nvidia-vulnerabilities,40136.html

 

[Phaaze88]

-__-

You know what? Let's not think too hard on these things, yeah? Some people overreact(aka paranoia) as it is.
New tech launches every year, and so do new ways to screw each other over...
https://i.kym-cdn.com/photos/images/newsfeed/001/401/347/312.jpg

 

[gn842a]

Well I put in my 1660 TI yesterday and I was able to get Nvidia drivers dated July 17. There are July 23 drivers but the web site and the software it made me install on my end kept pointing me to the July 17 drivers so that's where it is. It would take a better man than me to install July 23....

 

[DMAN999]

Well I put in my 1660 TI yesterday and I was able to get Nvidia drivers dated July 17. There are July 23 drivers but the web site and the software it made me install on my end kept pointing me to the July 17 drivers so that's where it is. It would take a better man than me to install July 23....

I have an MSI GTX 1660 Ti and installed the July drivers from the Nvidia Site:
Version: 431.60 WHQL
Release Date: 2019.7.23
Operating System: Windows 10 64-bit
Language: English (US)
File Size: 495.91 MB
http://us.download.nvidia.com/Windows/431.60/431.60-desktop-win10-64bit-international-dch-whql.exe
From this page:
https://www.nvidia.com/Download/driverResults.aspx/148868/en-us

 

[Phaaze88]

Well I put in my 1660 TI yesterday and I was able to get Nvidia drivers dated July 17. There are July 23 drivers but the web site and the software it made me install on my end kept pointing me to the July 17 drivers so that's where it is. It would take a better man than me to install July 23....

I see, you must've clicked on the download button for automatic driver updates, and ended up downloading the crappy Geforce Experience.
Do the manual driver search next time. Much more reliable, and it doesn't make you install GE.

 

[gn842a]

I see, you must've clicked on the download button for automatic driver updates, and ended up downloading the crappy Geforce Experience.
Do the manual driver search next time. Much more reliable, and it doesn't make you install GE.

I did do the manual driver search. Twice it told me that my build was incompatible and referred me to the GEFORCE experience. I've downloaded a lot of drivers. Didn't have a choice near as I can see.

 

[gn842a]

It says it is WHQL "logo'd" whatever that means. Edit: this is from dxdiag in "run" command. The Nvidia package gives the more standard driver number (see below).

https://imgur.com/NrTqRpG

View: https://imgur.com/NrTqRpG

 

[gn842a]

Here is what happens if I go to the driver page and specify manually what I want

https://imgur.com/idU3jsJ

View: https://imgur.com/idU3jsJ

 

[gn842a]

This is what Google coughs up by way of explanation:

"Standard" packages are those that do not require the DCH driver components. "DCH" (Declarative, Componentized, Hardware Support Apps) refers to new packages preinstalled by OEMS implementing the Microsoft Universal Driver paradigm.Feb 25, 2019
Windows Driver Types | NVIDIA

https://nvidia.custhelp.com/app/answers/detail/a_id/4777/~/windows-driver-types


All that I understand about this is that trying to understand it is likely to push me way beyond my desktop pay grade. I don't have a huge success rate messing with "new packages preinstalled by OEMs" bent on implementing "Microsoft Universal Driver paradigm." Sounds like I would be going up against MSI, NVIDIA, and Microsoft. That is a fight I would lose.

Greg N