Vulnerability discovered in NVIDIA UFM systems allows unauthorized access to the system

NVIDIA UFM (Unified Fabric Manager) is a network management system developed by NVIDIA, designed for high-performance computing and data centers. UFM is used for managing, monitoring, and configuring network infrastructure. The UFM system provides various features to improve performance and increase efficiency.

On November 26, 2024, NVIDIA disclosed a high-severity security vulnerability (CVE-2024-0130) affecting its UFM Enterprise, UFM Appliance, and UFM CyberAI products. This vulnerability could allow attackers to gain unauthorized access to systems, tamper with data, cause denial of service, and access sensitive information.

The vulnerability has been rated with a high severity level, scoring 8.8 on the CVSS v3.1 scale. The issue arises due to a flaw in the authentication mechanism. Attackers could exploit this vulnerability to escalate privileges (privilege escalation) and access other weaknesses within the system, enabling them to increase their rights, disrupt system operations, or gain access to sensitive information.

The vulnerability is primarily exploitable through the Ethernet management interface, by sending malformed requests over the network. However, since the management interfaces of UFM systems are usually isolated from public networks, the risk may be limited in certain cases. Nevertheless, misconfigurations in larger networks could increase the risk of exploitation.

Affected Products and Versions

The vulnerability impacts the following versions of NVIDIA UFM products:

  • UFM Enterprise GA (versions 6.15.x, 6.16.x, 6.17.x)
  • UFM Enterprise LTS23 (versions 6.15.x LTS, prior to version 6.15.6-4 LTS)
  • UFM Enterprise Appliance GA (versions 1.6.x, 1.7.x, 1.8.x)
  • UFM Enterprise Appliance LTS23 (versions 1.6.x LTS, prior to version 1.6.6-1 LTS)
  • UFM SDN Appliance GA (versions 4.14.x, 4.15.x, 4.16.x)
  • UFM SDN Appliance LTS23 (versions 4.14.x LTS, prior to version 4.14.6.4 LTS)
  • UFM CyberAI GA (versions 2.6.x, 2.7.x, 2.8.x)
  • UFM CyberAI LTS23 (version 2.6.1-3 LTS)

NVIDIA has released firmware updates for the affected products. Users are strongly advised to download and install these updates immediately from the NVIDIA Enterprise Support Portal.

While the management interfaces of most systems are isolated from public networks, it is important to properly configure them to ensure security. IT administrators should review their network configurations and ensure that management interfaces are isolated from untrusted networks.

Applying security updates to all affected versions of UFM products is crucial for protecting systems against potential attacks. Organizations, particularly those using infrastructure management tools that provide privileged access to network resources, need to stay up-to-date with security measures to ensure protection.

4o mini

Skip to content