SUSE SLED15 / SLES15 / openSUSE 15 Security Update : kernel-firmware-nvidia-gspx-G06 (SUSE-SU-2024:2585-1)

high Nessus Plugin ID 203004

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2585-1 advisory.

Update to version 555.42.06 for CUDA.

Security Update 550.90.07:

- CVE-2024-0090: Fixed out of bounds write (bsc#1223356).
- CVE-2024-0092: Fixed incorrect exception handling (bsc#1223356).
- CVE-2024-0091: Fixed untrusted pointer dereference (bsc#1223356).

Changes in kernel-firmware-nvidia-gspx-G06:

- Update to 550.100 (bsc#1227575)

- Add a second flavor to be used by the kernel module versions used by CUDA. The firmware targetting CUDA contains '-cuda' in its name to track its versions separately from the graphics firmware. (bsc#1227417)

Changes in nvidia-open-driver-G06-signed:

- Update to 550.100 (bsc#1227575)

* Fixed a bug that caused OpenGL triple buffering to behave like double buffering.

- To avoid issues with missing dependencies when no CUDA repo is present make the dependecy to nvidia-compute-G06 conditional.

- CUDA is not available for Tumbleweed, exclude the build of the cuda flavor.

- preamble: let the -cuda flavor KMP require the -cuda flavor firmware

- Add a second flavor for building the kernel module versions used by CUDA. The kmp targetting CUDA contains '-cuda' in its name to track its versions separately from the graphics kmp. (bsc#1227417)
- Provide the meta package nv-prefer-signed-open-driver to make sure the latest available SUSE-build open driver is installed - independent of the latest available open driver version in he CUDA repository.
Rationale:
The package cuda-runtime provides the link between CUDA and the kernel driver version through a Requires: cuda-drivers >= %version This implies that a CUDA version will run withany kernel driver version equal or higher than a base version.
nvidia-compute-G06 provides the glue layer between CUDA and a specific version of he kernel driver both by providing a set of base libraries and by requiring a specific kernel version. 'cuda-drivers' (provided by nvidia-compute-utils-G06) requires an unversioned nvidia-compute-G06. With this, the resolver will install the latest available and applicable nvidia-compute-G06.
nv-prefer-signed-open-driver then represents the latest available open driver version and restricts the nvidia-compute-G06 version to it. (bsc#1227419)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1223356

https://bugzilla.suse.com/1223454

https://bugzilla.suse.com/1227417

https://bugzilla.suse.com/1227419

https://bugzilla.suse.com/1227575

https://lists.suse.com/pipermail/sle-updates/2024-July/036081.html

https://www.suse.com/security/cve/CVE-2024-0090

https://www.suse.com/security/cve/CVE-2024-0091

https://www.suse.com/security/cve/CVE-2024-0092

Plugin Details

Severity: High

ID: 203004

File Name: suse_SU-2024-2585-1.nasl

Version: 1.3

Type: local

Agent: unix

Published: 7/23/2024

Updated: 7/26/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-0091

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:nv-prefer-signed-open-driver, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-cuda-64kb-devel, p-cpe:/a:novell:suse_linux:kernel-firmware-nvidia-gspx-g06, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-azure-devel, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-cuda-azure-devel, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-default-devel, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-cuda-default-devel, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-cuda-kmp-azure, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-cuda-kmp-default, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-cuda-kmp-64kb, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-kmp-64kb, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-kmp-azure, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-64kb-devel, p-cpe:/a:novell:suse_linux:nvidia-open-driver-g06-signed-kmp-default, p-cpe:/a:novell:suse_linux:kernel-firmware-nvidia-gspx-g06-cuda

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/22/2024

Vulnerability Publication Date: 6/13/2024

Reference Information

CVE: CVE-2024-0090, CVE-2024-0091, CVE-2024-0092

SuSE: SUSE-SU-2024:2585-1