Nvidia has recently taken decisive action to address a series of firmware vulnerabilities, with 11 identified overall. Among these, three have been rated as crucial, requiring immediate attention.
The critical bugs, named CVE-2023-31029, CVE-2023-31030, and CVE-2023-31024, have received a CVSS score of 9.3 and 9.0 respectively. These vulnerabilities are specifically related to Nvidia’s baseboard management controller (BMC) in the keyboard, video, and mouse (KVM) daemon utilized by their DGX A100 system.
The advisory states that these bugs expose the system to potential stack overflow attacks, which can be initiated by an unauthenticated attacker through a specially crafted network packet. The exploitation of these vulnerabilities can result in various consequences, including arbitrary code execution, denial of service, information disclosure, and data tampering.
Nvidia has also acknowledged two additional vulnerabilities present in the KVM service of their DGX H100 and DGX A100 models, with the names CVE-2023-25529 and CVE-2023-25530. Although these bugs are rated slightly lower with a CVSS score of 8.0, they still pose a significant threat. CVE-2023-25529 has the potential to leak a user’s session token, while CVE-2023-25530 is an input validation bug.
To mitigate these security risks, Nvidia urges users to update their systems to the latest versions available. In particular, all versions preceding 00.22.05 are vulnerable to the BMC bugs. Fixes have also been provided for lower-rated vulnerabilities in DGX A100 SBIOS versions prior to 1.25.
By promptly addressing these firmware vulnerabilities and offering necessary fixes, Nvidia demonstrates its commitment to maintaining the security and integrity of its systems. Users are strongly encouraged to take immediate action and apply the provided updates to ensure the safety of their devices and data.
The source of the article is from the blog j6simracing.com.br