NVIDIA Patches Critical Bug in High-Performance Servers

NVIDIA Patches
Share It On:

3rd November 2020, Kathmandu

Recently NVIDIA released a patch for a critical bug in its high-performance line of DGX servers. The bug could potentially invite remote attackers to control and access sensitive data on the system, which is operated by governments and Fortune-100 companies.

NVIDIA recently issued nine-patches to fix flaws in firmware used by DGX high-performance computing (HPC) systems. The systems are responsible for processor-intensive artificial intelligence (AI) tasks, machine learning, and data modelling. Whereas, the fixes were for the flaws in its firmware that runs on its brains behind a remote monitoring service servers, DGX AMI baseboard management controller (BMC).

Likewise, Researcher Sergey Gordeychik, credited for finding the bugs, wrote that the attackers could be remote. If bad guys root one of the boxes and then get access to the controller; they can use the out of band management network to PWN the whole data center. Moreover, he added, “If you have OOB access, the game is over for the target.”

With the high-stake computing jobs typically running on the HPC systems, exploiting the flaw could even interfere with data and force models to make incorrect predictions or infect an AI model.”

Also read: Dell vs Lenovo: Which Laptop To Buy in 2020?

No Patch Until 2021 for One NVIDIA Critical Bug

NVIDIA has said that it wouldn’t be able to update the patch fixing one critical bug(CVE‑2020‑11487)until the second quarter of 2021. Meanwhile, the bug is impacting the DGX A100 server line. The flaws of the critical bug are tied to a hard-coded RSA 1024 key with weak cyphers, leading to information disclosure. Whereas, the fix for other servers, DGX-1 and DGX-2 impacted by the same bug CVE‑2020‑11487, is available.

NVIDIA suggested limiting connectivity to the BMC, including the web UI, to trusted management networks to mitigate the security concerns.

Bugs Highlight Vulnerability of AI and ML Infrastructure

Sergey Gordeychik disclosed the bugs Wednesday at the CodeBlue 2020 as a part of the presentation “Vulnerabilities of Machine Learning Infrastructure.”

In the presentation, Sergey highlighted the vulnerability of different AI infrastructure components. It includes NVIDIA DGX GPU servers used in ML frameworks(Pytorch, Keras, and Tensorflow), data processing pipelines. Also, the specific applications, including Medical Imaging and face recognition, powered CCTV, could be tampered with by an adversary.
With the supply chain of NVIDIA, other vendors are also likely to have an impact.

Nine CVE Patches

Among the recent nine CVE patches NVIDIA issues on Wednesday, CVE‑2020‑11483 is a critical bug. The vulnerable line of NVIDIA DGX servers includes DGX-1, DGX-2, and DGX A100.

Out of the Nine CVEs, four of the NVIDIA bugs are critical: CVE‑2020‑11484, CVE‑2020‑11487, CVE‑2020‑11485, CVE‑2020‑11486. The CVE‑2020‑11484 is the most severe among the four of the bugs.

Three of the other patched vulnerabilities are medium-severity whereas, and one is with low.


Share It On:

Recent Posts

Global IME Haat Bazaar Nepal: Supporting Local Entrepreneurs & Showcasing Unique Products

Global IME Haat Bazaar Nepal: Supporting Local Entrepreneurs & Showcasing

Share It On:24th December 2024, Kathmandu Global IME Bank Limited has introduced the “Global Haat Bazaar” to promote products from

Golchha Group and ENSSURE Nepal Launch VET Apprenticeship Program to Boost Skills

Golchha Group and ENSSURE Nepal Launch VET Apprenticeship Program to

Share It On:24th December 2024, kathmandu Golchha Group, a pioneering industrial group in Nepal that carries a legacy of 100

Nepal Telecom BTS Vandalism in Humla: Service Disruption and Repair Efforts

Nepal Telecom BTS Vandalism in Humla: Service Disruption and Repair

Share It On: 24th December 2024, kathmandu Nepal Telecom is facing a major disruption in its services in the Humla

Worldlink Carnival Pokhara 2024: Fun, Music, and Prizes Await

Worldlink Carnival Pokhara 2024: Fun, Music, and Prizes Await

Share It On:24th December 2024, Kathmandu Worldlink, Nepal’s top internet service provider, is organizing a grand event, the “Worldlink Carnival,”

Nepal Power Grid Upgrade: $537M Investment for Enhanced Energy Access and Regional Trade

Nepal Power Grid Upgrade: $537M Investment for Enhanced Energy Access

Share It On:24th December, Kathmandu Nepal has secured an investment of NPR 72.93 billion (USD 537 million) for enhancing its

Ncell Foundation 4 for 4s NPL Campaign Provides 2600+ Kits  for Education and Empowerment

Ncell Foundation 4 for 4s NPL Campaign Provides 2600+ Kits

Share It On:24th December 2024, Kathmandu Linking the excitement of cricket via Nepal Premiere League (NPL) to the classrooms, Ncell