Piotr Bania of Cisco Talos discovered the vulnerabilities mentioned in this post.
Cisco Talos recently disclosed three vulnerabilities in the shader functionality of the NVIDIA D3D10 driver that works with NVIDIA’s graphics cards.
The driver is vulnerable to memory corruption if an adversary sends a specially crafted shader packer, which can lead to a memory corruption problem in the driver.
An attacker could exploit these vulnerabilities from guest machines running virtualization environments (such as VMware, QEMU and VirtualBox) to perform a guest-to-host escape, as we’ve illustrated with previous vulnerabilities in NVIDIA graphics drivers.
Talos’ research also indicates that these vulnerabilities could be triggered from a web browser using WebGL and WebAssembly. Our researchers triggered these issues from a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host (inside the rdvgm.exe process). Microsoft recently deprecated RemoteFX, but older machines may still use this software.
Talos worked with NVIDIA to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.
For Snort coverage (SIDs 61386, 61387, 61398, 61399, 61410 and 61411) that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.