2015 m. spalio 3 d., šeštadienis

[security bulletin] HPSBHF03513 rev.1 - HP PCs and Workstations running Windows and Linux with NVidia Graphics Driver, Local Denial of Service (DoS), Elevation of Privilege


Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04815468

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04815468
Version: 1

HPSBHF03513 rev.1 - HP PCs and Workstations running Windows and Linux with
NVidia Graphics Driver, Local Denial of Service (DoS), Elevation of Privilege

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-09-25
Last Updated: 2015-09-25

Potential Security Impact: Denial of Service (DoS), elevation of privilege

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with certain HP PCs
and workstations with Windows and Linux running the NVidia Graphics Driver.
The vulnerabilities could be locally exploited resulting in Denial of Service
(DoS) and elevation of privilege.

Note: This issue is present on Windows and Linux operating systems and
affects all currently supported NVIDIA driver releases and all GPUs. This
issue does not affect Android based NVIDIA Tegra products.

References:

CVE-2015-5950
SSRT102235

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Notebooks and Workstations

HP EliteBook 8740w 8740w Nvidia video driver
HP EliteBook 8440w 8440w Nvidia video driver
HP EliteBook 8540w 8540w Nvidia video driver
HP EliteBook 8760w 8760w Nvidia video driver
HP EliteBook 8560w 8560w Nvidia video driver
HP EliteBook 8770w 8570w Nvidia video driver
HP EliteBook 8570w 8570w Nvidia video driver
HP ZBook 17 17 Nvidia video driver
HP ZBook 15 15 Nvidia video driver
HP Zbook 17 G2 17 G2 Nvidia video driver
HP Zbook 15 G2 15 G2 Nvidia video driver
HP Z1 Nvidia video driver
HP Z230 Nvidia video driver
HP Z420 Nvidia video driver
HP Z440 Nvidia video driver
HP Z620 Nvidia video driver
HP Z640 Nvidia video driver
HP Z820 Nvidia video driver
HP Z840 Nvidia video driver

BACKGROUND

CVSS 2.0 Base Metrics
==============================
=============================
  Reference              Base Vector             Base Score
CVE-2015-5950    (AV:L/AC:M/Au:S/C:C/I:C/A:C)       6.6
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided the following NVidia driver updates for the impacted Windows
and Linux platforms running the NVidia Graphics Driver .

Note: This security bulletin will be revised as additional product updates
become available.

Linux Users Note: Download and install Linux-specific graphics drivers
directly from NVIDIA download resources to address vulnerability.
  - Long Lived Branch versions 352.41 (or greater) and 346.96 (or greater).
  - Legacy Support Branches 304.128 (or greater) and 340.93 (or greater).

To acquire the HP NVidia driver update, go to http://hp.com
  1. Select "Support" and then "Download Drivers"
  2. Enter your product name or number in the "Find my product" field.
  3. Choose the product from the returned search
  4. Choose the appropriate operating system
  5. Under the Download Index, select Driver-Graphics, and download the
updated NVidia driver version as listed in the table below.
  6. Follow the installation instructions to install the NVidia Driver
update.

| HP Notebooks and Workstations |       O/S       | Version | Softpaq |
|-------------------------------|-----------------|---------|---------|
| HP EliteBook 8440w            | Windows 7/8/8.1 |  341.81 | SP72938 |
| HP EliteBook 8540w            | Windows 7/8/8.1 |  341.81 | SP72938 |
| HP EliteBook 8560w            | Windows 7/8/8.1 |  341.81 | SP72938 |
| HP EliteBook 8570w            | Windows 7/8/8.1 |  354.04 | SP72937 |
| HP EliteBook 8570w            | Windows 10      |  354.04 | SP72936 |
| HP EliteBook 8740w            | Windows 7/8/8.1 |  341.81 | SP72938 |
| HP EliteBook 8760w            | Windows 7/8/8.1 |  341.81 | SP72938 |
| HP EliteBook 8770w            | Windows 7/8/8.1 |  354.04 | SP72937 |
| HP EliteBook 8770w            | Windows 10      |  354.04 | SP72936 |
| HP ZBook 15                   | Windows 10      |  354.04 | SP72936 |
| HP ZBook 15                   | Windows 7/8/8.1 |  354.04 | SP72937 |
| HP ZBook 15 G2                | Windows 7/8/8.1 |  354.04 | SP72937 |
| HP ZBook 15 G2                | Windows 10      |  354.04 | SP72936 |
| HP ZBook 17                   | Windows 7/8/8.1 |  354.04 | SP72937 |
| HP ZBook 17                   | Windows 10      |  354.04 | SP72936 |
| HP ZBook 17 G2                | Windows 7/8/8.1 |  354.04 | SP72937 |
| HP ZBook 17 G2                | Windows 10      |  354.04 | SP72936 |
| HP Z1                         | See *Note       |         |         |
| HP Z230                       | See *Note       |         |         |
| HP Z420                       | See *Note       |         |         |
| HP Z440                       | See *Note       |         |         |
| HP Z620                       | See *Note       |         |         |
| HP Z640                       | See *Note       |         |         |
| HP Z820                       | See *Note       |         |         |
| HP Z840                       | See *Note       |         |         |

*Note: HP will revise this security bulletin when softpaq updates are
available for these products. Until available, customers can download updated
NVidia drivers for Windows 7, 8.1 or 10.0 from NVidia.com.

HISTORY
Version:1 (rev.1) - 25 September 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

Komentarų nėra:

Rašyti komentarą