[SOLVED] NVIDIA Issues Warning to Upgrade Drivers Due to Security Patches. !

Status
Not open for further replies.
Hello,

Just some heads-up. If you are currently using an NVIDIA GPU, then update your drivers asap. Nvidia has issued a new security bulletin which warns their users that their Geforce, Quadro and Tesla graphics cards could be leaving their systems vulnerable to five recently discovered security exploits.

NVIDIA has found a total of five security vulnerabilities with its Windows drivers for GeForce, Quadro and Tesla lineup of graphics cards. These new security risks are labeled as very dangerous and have the potential to cause local code execution, denial of service, or escalation of privileges, unless the system is updated. Users are advised to update their Windows drivers as soon as possible in order to stay secure and avoid all of these vulnerabilities.

Exploits are only accessible on Windows based OSes, starting from Windows 7 to Windows 10. However, one fact that's reassuring is that in order to exploit a system, attacker must have local access to the machine that is running NVIDIA GPU, as remote exploit can not happen.

https://nvidia.custhelp.com/app/answers/detail/a_id/4841/kw/Security Bulletin

The vulnerabilities are rated using CVSS V3 base scoring system and they are arranged as following:
  • CVE-2019-5683 - Most dangerous of all the vulnerabilities. This exploits uses driver's trace logger weakness to create hard links, that software does not check. Attacker could create any link without getting warned by the system and force local code execution, denial of service or escalation of privileges. It is rated with a score of 8.8.

  • CVE-2019-5684 - Vulnerability which uses carefully crafted shaders in order to cause out of bounds access to input texture array, possibly leading to denial of service or code execution. It is rated with a score of 7.8

  • CVE-2019-5685 - Vulnerability which also uses carefully crafted shaders in order to cause out of bounds access to shader local temporary array, possibly leading to denial of service or code execution as well. It is rated with a score of 7.8

  • CVE-2019-5686 - Vulnerability hidden in kernel mode layer handler for DxgkDdiEscape, which uses different data structures and DirectX API functions that are not always valid, leading to denial of service if the API function or data structure is incorrect. It is rated with a score of 5.6.

  • CVE-2019-5687 - Least dangerous exploit of all five. It is also a problem in kernel model layer handler for DxgkDdiEscape, which may put system at risk if incorrect default permissions are used for an object. This can lead to information disclosure or denial of service. It is rated with a score of 5.2.
 
  • Like
Reactions: Roland Of Gilead
Solution
Well to sum up the matter of using GEFORCE for drivers--

  1. I had no choice. Even when I had NO drivers (after DDU uninstall) I had to use GEFORCE. It's not just that you can't "install standard drivers over DCH " it's that you can't install them period.
  2. If as suggested here it is related to Win 10 pro, it might also be related to Win 10 Enterprise etc. That means there are a lot of people who have no choice but to use GEFORCE.
  3. If pre-mades also require it, that means even more people use GEFORCE.
  4. So there is little point in suggesting that downloading standard drivers from the web site is the best way to go as it is impossible for a large number of users and leads to the distracting concern that when the warning comes...
Why does it seem amd has way less issues with security on both its cpus and gpus.

I'm not sure about the GPU side of AMD's lineup, but their CPUs are totally based on a whole new Architecture which isn't prone to most of the exploits, unlike INTEL's CPUs. They are based on a whole new Architecture, though some of their CPUs are slightly vulnerable to SPECTRE, with speculative execution .

But for AMD CPUs, I think thus far, no real-world attacks that leverage Spectre, Meltdown, L1TF, ZombieLoad, Spoiler, or any of the other named attacks have been observed.

I think differences between manufacturers (e.g., Intel vs. AMD) and architectures (e.g., x86-64 vs. Arm) make some processors vulnerable to more variants than others. ARM-based chips aren't impacted by the Meltdown-based attacks though. They are, however, susceptible to all five that are based on Spectre.

As you can see from this chart, that AMD CPUs have architecture fixes.

Moreover, even though earlier AMD had claimed that its CPUs were not exposed to Meltdown-class vulnerabilities, researchers discovered a variation of Meltdown (called Meltdown-BR) that was perfectly operational with AMD CPUs. So at this point, the CPUs of all three of the largest global CPU vendors — AMD, ARM, and Intel — are susceptible to both Meltdown and Spectre. Well, at least to some of the variations from both these families

XPxfhoq.png



sP3S93g.jpg
 
Last edited:

Phaaze88

Titan
Ambassador
Updated mine yesterday, but thanks for the heads up though!

This just makes Intel look even worse.

Both Nvidia and AMD are smaller than Intel, thus they have fewer employees = it would take longer to find security threats. When they do, they get to work on patching them.

Intel has more employees, so they should be able to find and deal with such matters faster... but instead tries to hide them until it eventually reaches the public...
 
This just makes Intel look even worse.

How exactly though ?

I mean YES, we all know INTEL procs have been the main victim of these vulnerabilities, but I think at this point, the CPUs of all three of the largest global CPU vendors — AMD, ARM, and Intel — are still susceptible to both Meltdown and Spectre. Well, at least to some of the variations from both these families. INTEL is in the top list though.

Not sure how many more exploits are going to be discovered in the coming months/years, if INTEL doesn't change/modify it's existing CPU Architecture !
 
Last edited:

Phaaze88

Titan
Ambassador
How exactly though ?
Looking at all the time the company spent twiddling their thumbs and making minuscule IPC improvements, some of that time could've/should've been spent actually looking for these things.
They affect the entirety of the Core I architecture. I believe if they were on top of this from the start, some of these vulnerabilities could've been patched out - at the hardware or software level - before the great Skylake and it's 1st refresh, Kabylake launched...
Ok, maybe that's a bit of a stretch for such a large company, but there's 4 years between Sandy Bridge and Skylake, even longer than that if you want to include the legacy models...
Not sure how many more exploits are going to be discovered in the coming months/years, it INTEL doesn't change/modify it's existing CPU Architecture !
YES! No more LAKES!
Until then, don't expect anything breathtaking from them - nevermind, they may actually be able to challenge Nvidia's high end segment, only time will tell...
 
They affect the entirety of the Core I architecture. I believe if they were on top of this from the start, some of these vulnerabilities could've been patched out - at the hardware or software level - before the great Skylake and it's 1st refresh, Kabylake launched..

I think those vulnerabilities were discovered later on, IMO. At that Time INTEL wasn't aware of the flaws and weakness in their architecture !!

BTW, read this.. Great !! Intel Impacted by new SWAPGS Speculative Execution Attack !! This keeps getting interesting.

Researchers over at Bitdefender have uncovered a new side-channel attack which impacts Intel x86 processors. This new Speculative Execution attack is called SWAPGS, and has been designated the CVE-2019-1125 name.

Bitdefender has claimed that it has "worked with Intel for more than a year" before publically disclosing this new attack, stating that "the SWAPGS Attack affects newer Intel CPUs that use speculative execution". Red Hat has additionally claimed that vulnerability applies to x86-64 systems which use "either Intel or AMD processors".

SWAPGS allows attackers to gain access to information that's stored in kernel memory, which could extend to passwords, encryption keys and other pieces of important information. This vulnerability is said to only be available to local attackers, with the Linux OS being considered more secure from the vulnerability than Windows.

Users of Windows 10 should update their OS to ensure that their systems remain secure. On July 9th, Microsoft released an OS update that's designed to mitigate the effects of SWAPGS by changing how processors speculatively access memory.

AMD has responded to the reveal of SWAPGS with the following statement, claiming that they believe that their processors are not vulnerable to SWAPGS.


AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.

https://www.forbes.com/sites/daveyw...advises-all-users-to-update-now/#4ac75e5d73f8

https://www.amd.com/en/corporate/product-security

https://www.bleepingcomputer.com/ne...-modern-cpus-fixed-in-windows-linux-chromeos/
 
Some more info on this attack ! (sorry for the double post though...)

This new attack bypasses all known mitigation mechanisms implemented in response to Spectre and Meltdown (this sounds weird). According to the report, all Intel CPUs that support SWAPGS and WRGSBASE instructions are vulnerable to this new attack.

What this means is that basically anything from Intel Ivy Bridge to the latest processor series are vulnerable. Any device running an Intel Ivy Bridge or newer CPU: desktops, laptops, servers, etc.

This functionality has the CPU making educated guesses about instructions that may be required before it determines whether the instructions are, in fact, required. This speculative execution may leave traces in cache that attackers can use to leak privileged, kernel memory.

As the reports reads, addressing these vulnerabilities is extremely challenging. Since they lie deep within the structure and operation of modern CPUs, completely removing the vulnerabilities involves either replacing hardware or disabling functionality that greatly enhances performance.

Likewise, creating mitigation mechanisms is highly complex and can hamper performance gains achieved by speculative-execution features. For example, completely eliminating the possibility of side-channel attacks against the speculative-execution functionality of Intel CPUs would require a complete disabling of hyperthreading, which would seriously degrade performance.
 

gn842a

Honorable
Oct 10, 2016
666
47
11,140
AMD's market share of desktop cpus has risen from 12% a few years ago to 17% today. I think part of their better record on security is the same as Apple's. Not that they are more secure, but there are fewer of them out there so the big gain in hacking is on the most widely disseminated system. I'm not particularly fussy, I've been using AMD since the early 90s. But out there in the reservoir of things I worry about is that if AMD gets too successful it will be hacked more.

The other thing I worry about is that if they are not successful enough they fold up shop and go away.

Greg N
 
Some more info on this attack ! (sorry for the double post though...)

This new attack bypasses all known mitigation mechanisms implemented in response to Spectre and Meltdown (this sounds weird). According to the report, all Intel CPUs that support SWAPGS and WRGSBASE instructions are vulnerable to this new attack.

What this means is that basically anything from Intel Ivy Bridge to the latest processor series are vulnerable. Any device running an Intel Ivy Bridge or newer CPU: desktops, laptops, servers, etc.

This functionality has the CPU making educated guesses about instructions that may be required before it determines whether the instructions are, in fact, required. This speculative execution may leave traces in cache that attackers can use to leak privileged, kernel memory.

As the reports reads, addressing these vulnerabilities is extremely challenging. Since they lie deep within the structure and operation of modern CPUs, completely removing the vulnerabilities involves either replacing hardware or disabling functionality that greatly enhances performance.

Likewise, creating mitigation mechanisms is highly complex and can hamper performance gains achieved by speculative-execution features. For example, completely eliminating the possibility of side-channel attacks against the speculative-execution functionality of Intel CPUs would require a complete disabling of hyperthreading, which would seriously degrade performance.

It seems every month there are new vulnerabilities found with intel CPUs that Intel has no hardware mitigation for.

It seems Google is rumored to start adopting AMD Epyc. https://hothardware.com/news/google-disruptive-migration-amd-epyc-cloud-data-centers I wouldn't be surprised if this is due to the security issues with Intel chips.

Chorus:
And I'm proud to be an American [AMD user]
Where at least I know I'm free [from most vulnerabilities]
And I won't forget the men [performance]who died [was lost through Intel's software patches]
 

Phaaze88

Titan
Ambassador
I was sure they'd have a team specifically for finding such issues. Or heck, the engineers who developed x86 made some kind of footnotes of the pros and cons of the arch?

Yay to more software patches and higher latency:hum:

To offset this extra latency would be to get faster memory and I guess an even faster cpu? Or just jump ship to AMD, the logical solution.

There's no reason to even consider an Intel cpu right now, even for gaming. All the extra latency from the software patches adds up, and the impact on performance will only continue to go up.

Upcoming 10th gen still on x86? Pass, hard pass on all their future cpus until they get out of the 'water'.

I'm sticking with this 7820x either until something comes along and blows it away, or all these bloody software patches hinder things enough to force me to jump ship early.

I refuse to disable hyperthreading, but should something come along that forces me to, I'm done... dang it, I started ranting again.
 
It seems Google is rumored to start adopting AMD Epyc. https://hothardware.com/news/google-disruptive-migration-amd-epyc-cloud-data-centers I wouldn't be surprised if this is due to the security issues with Intel chips.

That might be possible for this decision. I've read that news before, and it seems GOOGLE is indeed investing in AMD. Good for the RED TEAM though.

Chorus:
And I'm proud to be an American [AMD user]
Where at least I know I'm free [from most vulnerabilities]
And I won't forget the men [performance]who died [was lost through Intel's software patches]

Nice chorus/verse ! I like it.

Or just jump ship to AMD, the logical solution.

YES. I'm waiting for ZEN3 to arrive. Things will improve with the next-gen AMD architecture......By the way, I like your PC/RIG.....Great setup, but very expensive, lol !! How is your rig/system holding up, by the way, in GAMES and other tasks ?
 

gn842a

Honorable
Oct 10, 2016
666
47
11,140
So I just bought an NVidia gpu a few hours ago because I've had it with the RX 580 590 series which is not stable regardless of my best efforts. We need not get into it here. The point is by the week's end I'll have a an MSI TI 1660.

What I want to know is whether, when I go to MSI for drivers, they will be latest and greatest and take into account the warnings posted here?

thank you,
Greg N
 
There have been quite a few 'the sky is falling' editorials about Intel's security flaws...

I know just yesterday I read about where someone's Intel system was massively compromised when....oh, wait, there have not been any actual breaches due to these flaws, most are just hypothetical weaknesses/vulnerabilities, with no actual confirmed breaches....
 
I know just yesterday I read about where someone's Intel system was massively compromised when....oh, wait, there have not been any actual breaches due to these flaws, most are just hypothetical weaknesses/vulnerabilities, with no actual confirmed breaches....
I haven't heard of any data loss due to these issues.

I have heard of performance loss due to patches tho.
 
  • Like
Reactions: Metal Messiah.

gn842a

Honorable
Oct 10, 2016
666
47
11,140
Latest IS greatest in this case.

I'm surprised you had the issues you did with your cards. I have has a much better experience going from Nvidia to a comparable priced AMD card.

No one is more surprised than me. I'm an AMD/ASUS loyalist and feel very let down. And I'm not out of the woods yet. Perhaps the TI will be even worse. At that point I will conclude that I have a severe deficit in my skills as an orderer of parts.

Greg N
 
Status
Not open for further replies.