Nvidia Releases Security Update for ConnectX and BlueField DPUs Amid High-Severity Flaws

by do son · November 3, 2024

NVIDIA ConnectX Firmware - CVE-2024-0105

Nvidia has issued a significant security update for its ConnectX and BlueField Data Processing Units (DPUs) following the discovery of two high-severity vulnerabilities (CVE-2024-0105 and CVE-2024-0106). These flaws could allow attackers to tamper with data, cause denial of service, or access sensitive information.

The vulnerabilities impact various models, including ConnectX 4-7 and BlueField 1-3 DPUs. According to Nvidia’s security bulletin, CVE-2024-0105 exists within the ConnectX firmware and could lead to “denial of service, data tampering, and limited information disclosure”. This vulnerability has been assigned a high CVSS score of 8.9. Similarly, CVE-2024-0106 affects the firmware for BlueField DPUs and shares the same risks of data tampering and service disruption, with a CVSS score of 8.7.

Nvidia provides detailed update versions for each affected product, ensuring that users can address these vulnerabilities effectively. For instance, the ConnectX 4 models require an update to version 12.28.2302 or later, while ConnectX 6 and 7 models must be upgraded to version xx.41.1000 or later. BlueField 2 and 3 users, on the other hand, should update to the latest DOCA bundle versions, such as 2.7.0 for BlueField GA.

Users are encouraged to visit Nvidia’s Enterprise Support Portal to implement the latest firmware updates and protect their systems from potential exploits.