Nvidia has published fixes for 11 firmware vulnerabilities, the most severe of which is rated critical.
The three major bugs recommendation CVE-2023-31029 (CVSS score 9.3), CVE-2023-31030 (CVSS score 9.3), and CVE-2023-31024 (CVSS score 9.0).
All three are bugs in the keyboard, video, and mouse (KVM) daemon in the baseboard management controller (BMC) of the DGX A100, a 5-peta FLOPS AI system based on Nvidia’s A100 Tensor Cores.
All three advisories state that “an unauthenticated attacker could cause a stack overflow by sending specially crafted network packets.”
If exploited, it could lead to “execution of arbitrary code, denial of service, information disclosure, and data tampering.”
The company’s DGX H100 and DGX A100 BMCs are also subject to CVE-2023-25529 and CVE-2023-25530 (both CVSS 8.0) for KVM services.
CVE-2023-25529 is a potential leak of a user’s session token, and CVE-2023-25530 is an input validation bug.
BMC bug exists in all versions prior to 00.22.05.
Fixes have also been issued for low rating vulnerabilities in DGX A100 SBIOS versions prior to 1.25.