Code Injection in NVIDIA Data Center GPU Manager (DCGM) - CVE-2021-34398

 

Code Injection in NVIDIA Data Center GPU Manager (DCGM) - CVE-2021-34398

Published: August 8, 2021


Vulnerability identifier: #VU55645
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-34398
CWE-ID: CWE-94
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: nVidia
Affected software:
NVIDIA Data Center GPU Manager (DCGM)

Detailed vulnerability description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation in the DIAG module where any user can inject shared libraries into the DCGM server, which is usually running as root. A local user can inject and execute arbitrary code on the system.


How to mitigate CVE-2021-34398

Install updates from vendor's website.

Sources