Multiple vulnerabilities in NVIDIA ConnectX and BlueField
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-0105 CVE-2024-0106 |
| CWE-ID | CWE-264 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
ConnectX4 Hardware solutions / Firmware ConnectX4 LX Hardware solutions / Firmware ConnectX GA Hardware solutions / Firmware ConnectX LTS22 Hardware solutions / Firmware ConnectX LTS23 Hardware solutions / Firmware BlueField 1 Hardware solutions / Firmware BlueField GA Hardware solutions / Firmware BlueField LTS22 Hardware solutions / Firmware BlueField LTS23 Hardware solutions / Firmware |
| Vendor | nVidia |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU99496
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-0105
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user on the local network to compromise the target system.
The vulnerability exists due to improper handling of insufficient privileges, which leads to denial of service, data tampering and limited information disclosure.
MitigationInstall updates from vendor's website.
Vulnerable software versionsConnectX4: before 12.28.2302
ConnectX4 LX: before xx.32.1900
ConnectX GA: before xx.41.1000
ConnectX LTS22: before xx.35.4030
ConnectX LTS23: before xx.39.3560
BlueField 1: before 18.31.1014
BlueField GA: before xx.41.1000
BlueField LTS22: before xx.35.4030
BlueField LTS23: before xx.39.3560
CPE2.3- cpe:2.3:h:nvidia:connectx4:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:connectx4_lx:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:connectx_ga:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:connectx_lts22:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:connectx_lts23:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:bluefield_1:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:bluefield_ga:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:bluefield_lts22:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:bluefield_lts23:*:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/5562
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU99497
Risk: Low
CVSSv4.0: 4.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-0106
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise the target system.
The vulnerability exists due to improper handling of insufficient privileges, which leads to denial of service, data tampering and limited information disclosure.
MitigationInstall updates from vendor's website.
Vulnerable software versionsBlueField 1: before 18.31.1014
BlueField GA: before xx.41.1000
BlueField LTS22: before xx.35.4030
BlueField LTS23: before xx.39.3560
CPE2.3- cpe:2.3:h:nvidia:bluefield_1:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:bluefield_ga:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:bluefield_lts22:*:*:*:*:*:*:*:*
- cpe:2.3:h:nvidia:bluefield_lts23:*:*:*:*:*:*:*:*
https://nvidia.custhelp.com/app/answers/detail/a_id/5562
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
