Australia's Leading Computer Emergency Response Team

ASB-2013.0051 - [VMware ESX][Linux][FreeBSD][Solaris] Nvidia GPU Driver: Root compromise - Remote/unauthenticated
Date: 11 April 2013
Original URL: http://www.auscert.org.au/render.html?cid=10415&it=17363

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0051
         CVE-2013-0131: NVIDIA UNIX GPU Driver ARGB Cursor Buffer
                       Overflow in "NoScanout" Mode.
                               11 April 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Nvidia GPU Driver
Operating System:     Linux variants
                      Solaris
                      FreeBSD
                      VMWare ESX Server
Impact/Access:        Root Compromise   -- Remote/Unauthenticated
                      Denial of Service -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-0131  
Member content until: Saturday, May 11 2013

OVERVIEW

        A vulnerability has been identified in Nvidia's GPU drivers prior to
        versions 304.88, 310.44, 313.30. [1]


IMPACT

        The vendor has stated the following:
        
        "When the NVIDIA driver for the X Window System is operated in 
        "NoScanout" mode, and an X client installs an ARGB cursor that is 
        larger than the expected size (64x64 or 256x256, depending on the 
        driver version), the driver will overflow a buffer. This can cause a
        denial of service (e.g., an X server segmentation fault), or could be 
        exploited to achieve arbitrary code execution. Because the X server 
        runs as setuid root in many configurations, an attacker could 
        potentially use this vulnerability in those configurations to gain root
        privileges.  To install an ARGB cursor, an application would require a 
        connection to a running X server. Normally, X servers are configured 
        to only accept authenticated connections from the local host, but some 
        X servers may be configured to more permissively allow connections, 
        and/or to allow connections over a network." [1]


MITIGATION

        The vendor has stated the following:
        
        "This vulnerability has been present since NVIDIA driver version 
        195.22. The overflow is fixed in 304.88, 310.44, 313.30, and all 
        drivers newer than those versions.  NVIDIA recommends that users 
        upgrade to a fixed driver version, or disable NoScanout mode, where 
        possible." [1]


REFERENCES

        [1] CVE-2013-0131: NVIDIA UNIX GPU Driver ARGB Cursor Buffer Overflow
            in "NoScanout" Mode.
            http://nvidia.custhelp.com/app/answers/detail/a_id/3290

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUWZIAu4yVqjM2NGpAQKB0RAArd0E05Uld2H4FqFbvOqgKEIpn3CrV5fc
obfJ867FkfWPrU/rzJzr/Y7fz803jAcO0IBtJVaEKSxIf71eJw5FtBAy0Ib0KWXp
VWOxpL0xjRAF4UaO99zFIGYBqzxCLp6TY3zaD3wUWJowl+ONOm79BRxg82iRQzwj
luLxQk4qA8qhdNKV6PFeWga1DDYY4sG14eQDdde8YJNSwFRlYPvXoHFXjqKMFGzg
G4GXI9APlF3E1lhElIM8KshFxeB4OyrKin6W4HxH/EQsUO0XWUXjNIChPorm83Yw
t25qtT8ID+h5sdnspMFpDodDbe4MvCT8IxMoNRBkgr+19fNb83hYq7Lmyq01tPHC
+Ew90/lGAPYC3D/fZXx3o392Mxb/UgRZF22vz9lXO+qbbt0CQnt6+hZHZCguaRIq
t7m8pdc3B/4rSLYhjSJ/frw97XwAl6L0/EacZWMmr/KKW8sx9o3CPZAc7MX+CfM+
hCo6IgD+62SIKHOp2x6McKZqVNNCC6wdzPyoFKULmJAnuUx8uHafDd6M7Ie50aOe
Wy847yuTSZs728MjGP6gE9WdEG2TU0rOarpQ6Q32VaoT6u7nWL5g/rpcVcVykm/6
2C8xrHzcUKOk5q3HqKvO2sSSPd+MepwCwn9MfEa9T48e2Q0Wg0B2Oq5u7r9Py+Rl
47FLxwmJQG8=
=fWmX
-----END PGP SIGNATURE-----