CVE-2022-31603 - NVIDIA DGX A100 contains a vulnerability in SBIOS in the IpSecDxe, where a user with high privileges

CVE-2022-31603

Summary

NVIDIA DGX A100 contains a vulnerability in SBIOS in the IpSecDxe, where a user with high privileges and preconditioned IpSecDxe global data can exploit improper validation of an array index to cause code execution, which may lead to denial of service, data integrity impact, and information disclosure.

References

https://nvidia.custhelp.com/app/answers/detail/a_id/5367

Vulnerable Configurations

cpe:2.3:o:nvidia:dgx_a100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:nvidia:dgx_a100_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:dgx_a100:-:*:*:*:*:*:*:*
cpe:2.3:h:nvidia:dgx_a100:-:*:*:*:*:*:*:*

CVSS

Base:	4.4 (as of 13-07-2022 - 13:20)
Impact:
Exploitability:

CWE

CWE-129

CAPEC

Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.

Access

Vector	Complexity	Authentication
LOCAL	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:L/AC:M/Au:N/C:P/I:P/A:P

Last major update

13-07-2022 - 13:20

Published

04-07-2022 - 18:15

Last modified

13-07-2022 - 13:20