Code Injection in NVIDIA Data Center GPU Manager (DCGM) - CVE-2021-34398
Published: August 8, 2021
Vulnerability identifier: #VU55645
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-34398
CWE-ID: CWE-94
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: nVidia
Affected software:
NVIDIA Data Center GPU Manager (DCGM)
NVIDIA Data Center GPU Manager (DCGM)
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation in the DIAG module where any user can inject shared libraries into the DCGM server, which is usually running as root. A local user can inject and execute arbitrary code on the system.
How to mitigate CVE-2021-34398
Install updates from vendor's website.