Urgent Firmware Alert: NVIDIA Tackles Critical DGX A100/H100 Flaws

Recently, NVIDIA has released a crucial firmware security update for its advanced computing systems, the DGX A100 and H100. The company has issued a comprehensive firmware security update, addressing a suite of vulnerabilities that could have significant implications for users and the AI ecosystem.

The firmware update is NVIDIA’s response to 11 firmware vulnerabilities, with several rated as critical. These vulnerabilities, identified by their CVE (Common Vulnerabilities and Exposures) numbers, range in severity but share a common potential for severe impact on system security and data integrity.

Most Critical Vulnerabilities

• CVE-2023-31029 and CVE-2023-31030 (CVSS 9.3): Both of these vulnerabilities exist in the NVIDIA DGX A100’s baseboard management controller (BMC). They involve the host KVM daemon and could allow an unauthenticated attacker to cause a stack overflow through a specially crafted network packet. The potential consequences are dire, including arbitrary code execution, denial of service, information disclosure, and data tampering.
• CVE-2023-31024 (CVSS 9.0): This vulnerability, also in the DGX A100 BMC, could lead to stack memory corruption, again by an unauthenticated attacker leveraging a network packet. The impacts mirror those of the above vulnerabilities.

High-Severity Vulnerabilities

• CVE-2023-25529 and CVE-2023-25530 (CVSS 8.0): These vulnerabilities, present in both DGX H100 and A100 BMCs, involve the host KVM daemon and KVM service, respectively. They could allow an attacker to exploit timing discrepancies or improper input validation, leading to information disclosure, privilege escalation, and data tampering.
• CVE-2023-31032 and CVE-2023-31035 (CVSS 7.5): Found in the DGX A100 SBIOS, these vulnerabilities allow for dynamic variable evaluation, and an SMI callout vulnerability that could lead to code execution, denial of service, privilege escalation, and information disclosure.

Medium and Lower Severity Vulnerabilities

CVE-2023-31033, CVE-2023-31034, CVE-2023-31025, and CVE-2023-31031: These vulnerabilities, with CVSS scores ranging from 4.2 to 6.8, include issues like missing authentication, integer overflow, LDAP user injection, and buffer overflow. Each poses a threat to system stability and security, although they are considered less critical than the aforementioned vulnerabilities.

NVIDIA’s Response: Firmware Update

NVIDIA has promptly responded with a firmware update to mitigate these vulnerabilities. The update is essential for all DGX A100 and H100 systems, as the BMC bugs are present in all versions before 00.22.05. Additionally, NVIDIA has issued fixes for lower-rated vulnerabilities in DGX A100 SBIOS versions before 1.25.