SB2025030619 - Multiple vulnerabilities in NVIDIA Hopper HGX 8-GPU



SB2025030619 - Multiple vulnerabilities in NVIDIA Hopper HGX 8-GPU

Published: March 6, 2025

Security Bulletin ID SB2025030619
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Exposed IOCTL with Insufficient Access Control (CVE-ID: CVE-2024-0141)

CWE-ID: CWE-782 - Exposed IOCTL with Insufficient Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient access control in the IOCTL within the GPU vBIOS. A remote administrator can write to an unsupported registry and cause a denial of service condition.


2) Internal Asset Exposed to Unsafe Debug Access Level or State (CVE-ID: CVE-2024-0114)

CWE-ID: CWE-1244 - Internal Asset Exposed to Unsafe Debug Access Level or State

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to internal asset exposed to unsafe debug access level or state in the HGX Management Controller (HMC). A local administrator can execute arbitrary code on the target system.


Remediation

Install update from vendor's website.