NVIDIA (DGX Station A100, DGX Station A800) Products February 2024 Security Update Advisory
Overview
NVIDIA has made available an update that addresses a vulnerability in products it has has been made. users of affected versions are encouraged to update to the latest version.
Affected Products
CVE-2022-42271, CVE-2022-42272, CVE-2022-42273, CVE-2022-42274, CVE-2022-42275, CVE-2022-42279, CVE-2022-42280, CVE-2022-42282, CVE-2022-42283, CVE-2022-42284, CVE-2022-42287, CVE-2022-42288, CVE-2022-42289, CVE–2022-42290
- NVIDIA DGX Servers DGX Station A100, DGX Station A800 BMC firmware version less than 2.09.00
CVE-2023-25521, CVE-2023-31031, CVE-2023-31032, CVE-2023-31034
- NVIDIA DGX Servers DGX Station A100, DGX Station A800 SBIOS firmware versions earlier than 10.20
Resolved Vulnerabilities
Denial of Service Vulnerability Due to Insufficient Buffer Overflow Validation in the NVIDIA baseboard management controller (BMC) (CVE-2022-42271)
Denial of Service Vulnerability Due to Insufficient Buffer Overflow Validation in NVIDIA BMC (CVE-2022-42272)
Denial of Service Vulnerability Due to Insufficient Buffer Overflow Validation in NVIDIA BMC (CVE-2022-42273)
Denial of Service Vulnerability Due to Insufficient Buffer Overflow Validation in NVIDIA BMC (CVE-2022-42274)
Denial of Service Vulnerability in NVIDIA BMC Due to Insufficient Security Settings Protection Bypass (CVE-2022-42275)
Denial of Service Vulnerability Due to Insufficient Validation of Arbitrary Shell Command Injection in NVIDIA BMC (CVE-2022-42279)
Privilege escalation vulnerability due to lack of validation of input paths in NVIDIA BMC (CVE-2022-42280)
Information Disclosure Vulnerability in NVIDIA BMC Due to Insufficient Access to Arbitrary Files (CVE-2022-42282)
Denial of Service Vulnerability in NVIDIA BMC Due to Insufficient Buffer Overflow Validation (CVE-2022-42283)
Credential Exposure Vulnerability in NVIDIA BMC (CVE-2022-42284)
Denial of Service Vulnerability in NVIDIA BMC due to remote file upload and download under certain conditions (CVE-2022-42287)
Information Disclosure Vulnerability in NVIDIA BMC due to possible user account information inference (CVE-2022-42288)
Arbitrary command injection vulnerability in NVIDIA DGX Station A100 and DGX Station A800 BMCs (CVE-2022-42289)
Arbitrary command injection vulnerability in NVIDIA DGX Station A100 and DGX Station A800 BMCs (CVE-2022-42290)
Code execution, privilege escalation, denial of service, information disclosure, and data tampering vulnerability due to improper validation of input parameters in the NVIDIA DGX Station A100 and DGX Station A800 SBIOS (CVE-2023-25521)
Heap-based buffer overflow vulnerability due to user local access in the NVIDIA DGX Station A100 and DGX Station A800 SBIOS (CVE-2023-31031)
Dynamic variable handling vulnerability due to user local access in the NVIDIA DGX Station A100 and DGX Station A800 SBIOS (CVE-2023-31032)
Input validation bypass vulnerability in the NVIDIA DGX Station A100 and DGX Station A800 SBIOS due to integer overflow (CVE-2023-31034)
Vulnerability Patch
A vulnerability patch was made available in the February 8, 2024 update. please follow the instructions on the reference site [1] to update to the latest vulnerability patch version.
CVE-2022-42271, CVE-2022-42272, CVE-2022-42273, CVE-2022-42274, CVE-2022-42275, CVE-2022-42279, CVE-2022-42280, CVE-2022-42282, CVE-2022-42282, CVE-2022-42283, CVE-2022-42284, CVE-2022-42287. CVE-2022-42288, CVE-2022-42289, CVE–2022-42290
- NVIDIA DGX Servers DGX Station A100, DGX Station A800 BMC Firmware 2.09.00
CVE-2023-25521, CVE-2023-31031, CVE-2023-31032, CVE–2023-31034
- NVIDIA DGX Servers DGX Station A100, DGX Station A800 SBIOS Firmware 10.20
Referenced Sites
[1] Security Bulletin: NVIDIA DGX Station A100 and DGX Station A800 – February 2024
https://nvidia.custhelp.com/app/answers/detail/a_id/5513
[2] CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
https://cwe.mitre.org/data/definitions/120.html
[3] CWE-627: Dynamic Variable Evaluation
https://cwe.mitre.org/data/definitions/627.html
[4] CWE-250: Execution with Unnecessary Privileges
https://cwe.mitre.org/data/definitions/250.html
[5] CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
https://cwe.mitre.org/data/definitions/78.html
[6] CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
https://cwe.mitre.org/data/definitions/22.html
[7] CWE-312: Cleartext Storage of Sensitive Information
https://cwe.mitre.org/data/definitions/312.html
[8] CWE-208: Observable Timing Discrepancy
https://cwe.mitre.org/data/definitions/208.html
[9] CWE-122: Heap-based Buffer Overflow
https://cwe.mitre.org/data/definitions/122.html