NVIDIA Fixes Security Vulnerabilities in DGX-1 Firmware

The ever-growing reliance on artificial intelligence and machine learning technologies has made high-performance computing systems like NVIDIA DGX-1 essential in various industries. As organizations increasingly depend on these powerful systems, ensuring their security is critical to protect sensitive data and maintain optimal performance.

Today, NVIDIA has released a security update for its DGX-1 firmware, addressing six vulnerabilities that may lead to issues such as arbitrary code execution, denial of service, escalation of privileges, information disclosure, data tampering, and SecureBoot bypass. The following section provides a summary of these vulnerabilities, their potential impact, and the updated firmware versions that address them.

1. CVE-2023-0209 (CVSS score of 8.2)

This vulnerability affects the Uncore PEI module in NVIDIA DGX-1 SBIOS. It results from a lack of authentication for the code executed by SSA, potentially leading to various security risks.

Affected version: All SBIOS prior to S2W_3A13

Updated version: S2W_3A13

2. CVE-2023-25505 (CVSS score of 7.8)

This vulnerability lies in the IPMI handler of the AMI MegaRAC BMC in NVIDIA DGX-1 BMC. An attacker with the appropriate authorization level can cause a buffer overflow, potentially leading to a denial of service, information disclosure, or arbitrary code execution.

Affected version: All BMC versions prior to 3.39.3

Updated version: 3.39.30

3. CVE-2023-25506 (CVSS score of 7.5)

This vulnerability affects Ofbd in AMI SBIOS in NVIDIA DGX-1. A preconditioned heap allows a user with elevated privileges to cause access beyond the end of a buffer, potentially leading to code execution, escalation of privileges, denial of service, and information disclosure.

Affected version: All SBIOS prior to S2W_3A13

Updated version: S2W_3A13

4. CVE-2023-25507 (CVSS score of 7.2)

This vulnerability is present in the SPX REST API of NVIDIA DGX-1 BMC. An attacker with the appropriate authorization level can inject arbitrary shell commands, potentially leading to code execution, denial of service, information disclosure, and data tampering.

Affected version: All BMC versions prior to 3.39.3

Updated version: 3.39.30

5. CVE-2023-25508 (CVSS score of 6.7)

This vulnerability affects the IPMI handler in NVIDIA DGX-1 BMC. An attacker with the appropriate authorization level can upload and download arbitrary files under specific circumstances, potentially leading to security risks.

Affected version: All BMC versions prior to 3.39.3

Updated version: 3.39.30

6. CVE-2023-25509 (CVSS score of 6.0)

This vulnerability is found in Bds in NVIDIA DGX-1 SBIOS and may lead to code execution, service denial, and privileges escalation.

Affected version: All SBIOS prior to S2W_3A13

Updated version: S2W_3A13

Mitigation and Remediation

Organizations using NVIDIA DGX-1 systems must promptly update their firmware to the latest versions to address these vulnerabilities.