Information Disclosure Vulnerability in NVIDIA DGX H100 BMC
CVE-2023-25529

8.1HIGH

Key Information:

Vendor: NVIDIA
Status: DGX H100 BMC; DGX A100 BMC
Vendor: CVE Published:; 20 September 2023

What is CVE-2023-25529?

The NVIDIA DGX H100 BMC features a vulnerability within the host KVM daemon, which allows an unauthenticated attacker to potentially exploit timing discrepancies in server responses to access another user's session token. This could lead to unauthorized information disclosure, escalation of privileges, and possible data tampering, compromising the security and integrity of users’ sessions.

Affected Version(s)

DGX A100 BMC All BMC versions prior to 00.22.05

DGX H100 BMC All versions prior to 23.08.07

References

https://nvidia.custhelp.com/app/answers/detail/a_id/5473

https://nvidia.custhelp.com/app/answers/detail/a_id/5510

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Feb 7, 2023