Multiple vulnerabilities in NVIDIA Hopper HGX 8-GPU
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-0141 CVE-2024-0114 |
| CWE-ID | CWE-782 CWE-1244 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Hopper HGX 8-GPU Hardware solutions / Firmware |
| Vendor | nVidia |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Exposed IOCTL with Insufficient Access Control
EUVDB-ID: #VU105380
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-0141
CWE-ID:
CWE-782 - Exposed IOCTL with Insufficient Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient access control in the IOCTL within the GPU vBIOS. A remote administrator can write to an unsupported registry and cause a denial of service condition.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHopper HGX 8-GPU: 1.3.0 - 1.5.0
CPE2.3- cpe:2.3:h:nvidia:hopper_hgx_8-gpu:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:hopper_hgx_8-gpu:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:hopper_hgx_8-gpu:1.3.2:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/5561
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Internal Asset Exposed to Unsafe Debug Access Level or State
EUVDB-ID: #VU105381
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-0114
CWE-ID:
CWE-1244 - Internal Asset Exposed to Unsafe Debug Access Level or State
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to internal asset exposed to unsafe debug access level or state in the HGX Management Controller (HMC). A local administrator can execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsHopper HGX 8-GPU: 1.3.0 - 1.5.0
CPE2.3- cpe:2.3:h:nvidia:hopper_hgx_8-gpu:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:hopper_hgx_8-gpu:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:hopper_hgx_8-gpu:1.3.2:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/5561
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
