CVE-2022-42277

NVIDIA DGX Station contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write and erase flash, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://nvidia.custhelp.com/app/answers/detail/a_id/5435	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:nvidia:dgx_station_a100_firmware:*:*:*:*:sbios:*:*:*

cpe:2.3:h:nvidia:dgx_station_a100:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-01-13 02:15

Updated : 2023-01-20 15:29

NVD link : CVE-2022-42277

Mitre link : CVE-2022-42277

CVE.ORG link : CVE-2022-42277

JSON object : View

Products Affected

nvidia

dgx_station_a100_firmware
dgx_station_a100

CWE

CWE-306

Missing Authentication for Critical Function

CWE-288

Authentication Bypass Using an Alternate Path or Channel

{"id": "CVE-2022-42277", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}, {"type": "Secondary", "source": "psirt@nvidia.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}]}, "published": "2023-01-13T02:15:07.957", "references": [{"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5435", "tags": ["Vendor Advisory"], "source": "psirt@nvidia.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "psirt@nvidia.com", "description": [{"lang": "en", "value": "CWE-288"}]}], "descriptions": [{"lang": "en", "value": "NVIDIA DGX Station contains a vulnerability in SBIOS in the SmiFlash, where a local user with elevated privileges can read, write and erase flash, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can extend to other components."}, {"lang": "es", "value": "NVIDIA DGX Station contiene una vulnerabilidad en SBIOS en SmiFlash, donde un usuario local con privilegios elevados puede leer, escribir y borrar flash, lo que puede provocar la ejecuci\u00f3n de c\u00f3digo, escalada de privilegios, denegaci\u00f3n de servicio y divulgaci\u00f3n de informaci\u00f3n. El alcance del impacto puede extenderse a otros componentes."}], "lastModified": "2023-01-20T15:29:55.670", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:nvidia:dgx_station_a100_firmware:*:*:*:*:sbios:*:*:*", "vulnerable": true, "matchCriteriaId": "0010FB43-8924-4B49-954F-F4735EECA098", "versionEndExcluding": "10.16"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:nvidia:dgx_station_a100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "96A05233-855C-4099-BF73-0D04F8F58A44"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@nvidia.com"}