Does Eset Protect against Nvidia Driver Vulnerability Exploits?

[itman 1,659]

For reference:

Quote

CVE‑2019‑5675 - NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes, which may lead to denial of service, escalation of privileges, or information disclosure.

CVE‑2019‑5677 - NVIDIA Windows GPU Display Driver contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DeviceIoControl where the software reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer, which may lead to denial of service.

I am posting this since I assume many Eset users are using older Nvidia chipset graphics cards. Nvidia pretty much treats older cards as legacy. As such, they are no longer offering driver updates for these cards; even for critical security vulnerabilities such as noted previously. For example, the last available driver for my card is R390 dated Mar., 2018. This vulnerability affects all drivers prior to R430.

Since these are device driver vulnerabilities, I realize there is only so much Eset can do protection-wise against kernel mode vulnerabilities. If it can't protect against these, I guess its time to purchase a new graphics card.

[Nightowl 202]

I believe nvidia should release security updates for their cards but I don't know how they work it out

But I do also believe that ESET should protect against these exploits.

[Marcos 5,074]

I was unable to find information if there's actual malware or at least PoC targeting the vulnerability and exploiting it for malicious purposes.

[itman 1,659]

1 hour ago, Marcos said:

I was unable to find information if there's actual malware or at least PoC targeting the vulnerability and exploiting it for malicious purposes.

Suspect the POC wasn't publically disclosed. In any case, a CVE would not have been issued unless there was supporting data. 

As far as I am aware of, there haven't been any public disclosure on any exploiting.

The main issue is both of these vulnerabilities only need low privledge status to exploit.

Quote

CVSS v3.0 Severity and Metrics:

Base Score: 7.8 HIGH
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (V3 legend)
Impact Score: 5.9
Exploitability Score: 1.8

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

https://nvd.nist.gov/vuln/detail/CVE-2019-5675

Quote

CVSS v3.0 Severity and Metrics:

Base Score: 5.5 MEDIUM
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (V3 legend)
Impact Score: 3.6
Exploitability Score: 1.8

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

https://nvd.nist.gov/vuln/detail/CVE-2019-5677

Edited June 2, 2019 by itman

[itman 1,659]

As far as CVE-2019- 5675 goes, I believe it is fair to assume it is similar in nature to other DxgkDdiEscape vulnerabilities previously disclosed by Google's Project Zero:

Quote

DxgkDdiEscape

A well known entry point for potential vulnerabilities here is the DxgkDdiEscape interface. This can be called straight from user mode, and accepts arbitrary data that is parsed and handled in a vendor specific way (essentially an IOCTL). For the rest of this post, we’ll use the term “escape” to denote a particular command that’s supported by the DxgkDdiEscape function.

NVIDIA has a whopping 400~ escapes here at time of writing, so this was where I spent most of my time (the necessity of many of these being in the kernel is questionable):

https://googleprojectzero.blogspot.com/2017/02/attacking-windows-nvidia-driver.html

Edited June 2, 2019 by itman