SB2023082922 - Multiple vulnerabilities in NVIDIA DGX H100
Published: August 29, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Improper Authentication (CVE-ID: CVE-2023-31015)
The vulnerability allows a local user to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests in the REST service. A local user can bypass authentication process and gain unauthorized access to the application.
2) Stack-based buffer overflow (CVE-ID: CVE-2023-25528)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in a web server plugin. A remote attacker on the local network can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Input validation error (CVE-ID: CVE-2023-25533)
The vulnerability allows a remote user to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the web UI. A remote administrator on the local network can pass specially crafted input to the application and execute arbitrary code on the target system.
4) Input validation error (CVE-ID: CVE-2023-31009)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the REST service. A remote attacker on the local network can pass specially crafted input to the application and execute arbitrary code on the target system.
5) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2023-25529)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the an exploitable timing discrepancy issue in the host KVM daemon. A remote attacker on the local network can disclose sensitive information on the target system.
6) Input validation error (CVE-ID: CVE-2023-25530)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the KVM service. A remote user on the local network can pass specially crafted input to the application and execute arbitrary code on the target system.
7) Buffer overflow (CVE-ID: CVE-2023-25527)
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the host KVM daemon. A local user can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Insufficiently protected credentials (CVE-ID: CVE-2023-25531)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficiently protected credentials in IPMI. A remote user on the local network can execute arbitrary code the target system.
9) Input validation error (CVE-ID: CVE-2023-31008)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in IPMI. A local user can pass specially crafted input to the application and gain elevated privileges on the target system.
10) Input validation error (CVE-ID: CVE-2023-31010)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in IPMI. A remote administrator on the local network can pass specially crafted input to the application and gain elevated privileges on the target system.
11) Insufficiently protected credentials (CVE-ID: CVE-2023-25532)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficiently protected credentials in IPMI. A remote attacker on the local network can gain access to sensitive information on the target system.
12) Input validation error (CVE-ID: CVE-2023-31012)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the REST service. A remote administrator on the local network can pass specially crafted input to the application and gain elevated privileges.
13) Input validation error (CVE-ID: CVE-2023-31013)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the REST service. A remote administrator on the local network can pass specially crafted input to the application and gain elevated privileges on the target system.
14) Input validation error (CVE-ID: CVE-2023-25534)
The vulnerability allows a remote user to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in IPMI. A remote administrator on the local network can pass specially crafted input to the application and execute arbitrary code on the target system.
15) Input validation error (CVE-ID: CVE-2023-31011)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the REST service. A remote administrator on the local network can pass specially crafted input to the application and gain elevated privileges on the target system.
Remediation
Install update from vendor's website.