Security Advisory – High Severity Vulnerability in NVIDIA BlueField 2 and 3 BMC Firmware Addressed (CVE-2023-31037)

NVIDIA has issued a firmware update for its BlueField Data Processing Unit (DPU) Baseboard Management Controller (BMC) due to a high-severity vulnerability. Identified as CVE-2023-31037, this vulnerability affects NVIDIA BlueField 2 and BlueField 3 DPU BMCs. It originates from a flaw in ipmitool, where a root user can potentially cause code injection through a network call. Successful exploitation could lead to code execution on the operating system.

The vulnerability has been rated with a CVSS v3.1 base score of 7.2, classifying it as ‘High’ in severity. The specific Common Weakness Enumeration (CWE) linked to this vulnerability is CWE-94, which involves code execution risks.

NVIDIA has acknowledged HaoKun Yang for reporting this issue and encourages users to update to the latest firmware versions. The affected versions are BMC software LTS: 2.8.2-46, 23.04, 23.07, and 23.09. The updated versions addressing this vulnerability are LTS: 2.8.2-51 and 23.10.

For further details and to download the security update, users are advised to visit NVIDIA’s DOCA Software Framework page and follow their guidelines.

Source URL: NVIDIA Security Bulletin