Critical bugs patched in Nvidia AI kit – Security


Nvidia has issued fixes for 11 firmware vulnerabilities, the most serious of which are rated crucial.



The three critical bugs in its advisory are CVE-2023-31029 (CVSS score 9.3), CVE-2023-31030 (CVSS score 9.3), and CVE-2023-31024 (CVSS score 9.0).

All three are bugs in the keyboard, video and mouse (KVM) daemon in Nvidia’s baseboard management controller (BMC) of the company’s DGX A100, a five petaFLOPS AI system based on its A100 Tensor core.

In all three, the advisory stated, “an unauthenticated attacker may cause a stack overflow by sending a specially crafted network packet.”

An exploit could lead to “arbitrary code execution, denial of service, information disclosure, and data tampering.”

The BMC in the company’s DGX H100 and DGX A100 are also subject to CVE-2023-25529 and CVE-2023-25530 (both CVSS 8.0), both in the KVM service. 

CVE-2023-25529 is a potential leak of a user’s session token, while CVE-2023-25530 is an input validation bug.

The BMC bugs are present in all versions prior to 00.22.05.

Fixes have also been issued for lower-rated vulnerabilities in DGX A100 SBIOS versions prior to 1.25.



Source link