NVIDIA has issued a security advisory addressing a critical vulnerability (CVE-2024-0138) discovered in its Base Command Manager software. This flaw, located within the CMDaemon component, poses significant risks, including the potential for remote code execution, denial of service, privilege escalation, information disclosure, and data tampering.

What does the Vulnerability mean

The source of the vulnerability was from insecure temporary file handling, which could lead to a denial of service (DoS) condition on affected systems.

NVIDIA has released patches to address the issue and prevent potential exploitation. This critical flaw can be exploited remotely without any prerequisites, such as user interaction or special privileges, making it highly dangerous.

Vulnerability Name	CVE ID	Product Affected	Impact	Fixed Version
Insecure Temporary File Vulnerability	CVE-2024-0139	NVIDIA Base Command Manager, Bright Cluster Manager	Medium	Base Command Manager: 10.24.09a; Bright Cluster Manager: 9.0-22, 9.1-19, 9.2-17

Technical Summary 

 NVIDIA confirmed earlier versions, including 10.24.07 and earlier, are not impacted by this vulnerability.

To mitigate the issue, NVIDIA recommends updating the CMDaemon component on all head nodes and software images.

Remediation: 

1. Base Command Manager 

• Update to version 10.24.09a to address the vulnerability. 

2. Bright Cluster Manager 

• Depending on your version, update to one of the following: 

• 9.0-22 

• 9.1-19 

• 9.2-17 

3. CMdaemon Update 

• Ensure the most recent version of CMdaemon is installed on the head nodes and in all software images. 

4. Node Update . 

After applying the update, systems should be rebooted or resynchronized with the updated software image to ensure the fix is fully implemented. These measures are essential to eliminate the root cause that created vulnerability and protect systems from potential exploitation.

References: 

• For additional details on the vulnerability and patch instructions, visit NVIDIA’s security bulletin. 

CVE ID	System Affected	Platform	Vulnerability Details	Impact
CVE-2024-0139	NVIDIA Base Command Manager (Versions 3, 10) NVIDIA Bright Cluster Manager (Versions 9.0-9.2)	Linux	The vulnerability stems from insecure handling of temporary files in both Base Command Manager and Bright Cluster Manager. Exploiting this flaw could disrupt system availability, potentially causing a denial of service.	Potential denial of service on affected systems.