Multiple vulnerabilities in NVIDIA DGX A100 and DGX A800
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-25521 CVE-2023-25522 |
| CWE-ID | CWE-250 CWE-20 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
DGX A800 System Hardware solutions / Firmware DGX A100 Servers Hardware solutions / Firmware NVIDIA SBIOS Operating systems & Components / Operating system |
| Vendor | nVidia |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Execution with unnecessary privileges
EUVDB-ID: #VU77919
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25521
CWE-ID:
CWE-250 - Execution with Unnecessary Privileges
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper validation of an input parameter in SBIOS. A local administrator can run the affected binary and execute arbitrary code on the system with root privileges.
MitigationInstall updates from vendor's website.
Vulnerable software versionsDGX A800 System: All versions
DGX A100 Servers: before 23.06.3
NVIDIA SBIOS: before 1.21
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5461
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU77920
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-25522
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the target system.
The vulnerability exists due to insufficient validation of user-supplied input in SBIOS. A local administrator can pass specially crafted input to the application and execute arbitrary code on the system with root privileges.
MitigationInstall updates from vendor's website.
Vulnerable software versionsDGX A800 System: All versions
DGX A100 Servers: before 23.06.3
NVIDIA SBIOS: before 1.21
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5461
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
