NVIDIA

Security Update for NVIDIA Base Command & Bright Cluster Managers 

NVIDIA has issued a security advisory addressing a critical vulnerability (CVE-2024-0138) discovered in its Base Command Manager software. This flaw, located within the CMDaemon component, poses significant risks, including the potential for remote code execution, denial of service, privilege escalation, information disclosure, and data tampering.

What does the Vulnerability mean

The source of the vulnerability was from insecure temporary file handling, which could lead to a denial of service (DoS) condition on affected systems.

NVIDIA has released patches to address the issue and prevent potential exploitation. This critical flaw can be exploited remotely without any prerequisites, such as user interaction or special privileges, making it highly dangerous.

Vulnerability Name CVE ID Product Affected Impact Fixed Version 
Insecure Temporary File Vulnerability CVE-2024-0139 NVIDIA Base Command Manager, Bright Cluster Manager Medium Base Command Manager: 10.24.09a; Bright Cluster Manager: 9.0-22, 9.1-19, 9.2-17 

Technical Summary 

 NVIDIA confirmed earlier versions, including 10.24.07 and earlier, are not impacted by this vulnerability.

To mitigate the issue, NVIDIA recommends updating the CMDaemon component on all head nodes and software images.

Remediation

1. Base Command Manager 

  • Update to version 10.24.09a to address the vulnerability. 

2. Bright Cluster Manager 

  • Depending on your version, update to one of the following: 
  • 9.0-22 
  • 9.1-19 
  • 9.2-17 

3. CMdaemon Update 

  • Ensure the most recent version of CMdaemon is installed on the head nodes and in all software images. 

4. Node Update . 

After applying the update, systems should be rebooted or resynchronized with the updated software image to ensure the fix is fully implemented. These measures are essential to eliminate the root cause that created vulnerability and protect systems from potential exploitation.

References

CVE ID System Affected Platform Vulnerability Details Impact 
CVE-2024-0139 NVIDIA Base Command Manager (Versions 3, 10) NVIDIA Bright Cluster Manager (Versions 9.0-9.2) Linux The vulnerability stems from insecure handling of temporary files in both Base Command Manager and Bright Cluster Manager. Exploiting this flaw could disrupt system availability, potentially causing a denial of service. Potential denial of service on affected systems. 

Scroll to top