Updates for the AMI Baseboard Management Controller (BMC) firmware for Nvidias, primarily for deep learning, the GDX servers DGX-1, DGX-2 and DGX A 100 eliminate a total of nine security holes. One is considered critical; five others assume a high security risk, two a medium and one a low security risk.

Misuse of the vulnerabilities creates a network connection for the attacker to the BMC of the respective server. Possible consequences of a successful attack can be the expansion of access rights, the reading out of data (information disclosure) and remote code execution.

Secure firmware available Further details on the security gaps as well as on vulnerable and secured firmware versions can be found in Nvidia’s Security Bulletin on the vulnerabilities or in the illustration in this message. Before installing the updates, updates of the respective firmware update container may be necessary: ​​DGX-1 servers require an upgrade to nvfw-dgx1: 20. 10. 2, DGX-2 server upgraded to nvfw-dgx2: 20. 10.

The firmware updates themselves can be obtained from the NVIDIA Enterprise Support Portal. To minimize risk, Nvidia also recommends limiting the access options to the BMC, including the web interface, to trustworthy networks.

(Image: nvidia.custhelp. com)

Probably other manufacturers are also affected The security researchers of the SCADAStrangeLove project, the Nvidia and other affected manufacturers have discovered nine security gaps, in whose systems the microcontrollers from AMI and the associated holey firmware code are used. In an entry on their research results in the SCADAStrangeLove blog, they specifically name the following manufacturers and products:

ASRockRack IPMI ASUS ASMB9-iKVM DEPO Computers Gigabyte IPMI motherboards Gooxi BMC Hewlett Packard Enterprise Megarac IBM (BMC Advanced System Management) Lenovo (ThinkServer Management Module) Microbits (Mikrotik) NetappQuanta Computer Inc. TYAN motherboard When asked by SecurityWeek, AMI confirmed this indirectly: The company had been through a firmware audit h a third party provider was made aware of the security vulnerabilities before Nvidia gave a corresponding notice. Patches have already been developed and distributed to the (however unspecified) customers.

( ovw)