CVE-2022-34667 The NVIDIA CUDA Toolkit SDK contains a stack-based buffer overflow vulnerability exploited by an unprivileged remote attacker who can convince a local user to download a specially crafted corrupted file.
NVIDIA CUDA software is typically installed on Linux or Windows servers. Therefore, most of the vulnerable software packages on these operating systems are not updated or maintained by end users. Instead, general server maintenance contractors or vendor-provided update management software are responsible for software updates. Server administrators may not routinely check the contents of server software packages to ensure they haven’t been corrupted to introduce a buffer overflow condition, which may lead to a remote denial of service (DoS) attack.
CVE-2021-34668
The vulnerability affects all versions of NVIDIA CUDA software between 4.0 and 6.5 that are installed on Linux servers and Windows servers, respectively. It also affects all versions of NVIDIA CUDA software that are not updated by the end user and are not maintained by services like vendor-provided update management software or general server maintenance contractors.
Root cause analysis: The vulnerability is caused by a buffer overflow bug in the cuCtxMemcpy library used by CUDA client driver components to implement indirect data copying within the GPU process.
A remote denial of service (DoS) condition can be exploited through the vulnerable library if an attacker sends a malformed message to a target system running any version of NVIDIA CUDA Software between 4.0 and 6.5 on Linux or Windows, respectively, from a system with network access to this system over TCP port 7777 (the default port for CUDA).
CVE-2022: CUDA Software is not picky about credentials
The CUDA software is not picky about credentials—this means that it can be used to attack any Linux or Windows server. This vulnerability affects all NVIDIA CUDA-enabled packages on Linux and Windows, including those typically provided by vendors.
Because general server maintenance contractors or vendor-provided update management software are responsible for updating the vulnerable packages, they may not routinely check the contents of these packages to ensure they haven’t been corrupted to introduce a buffer overflow condition, which may lead to a remote denial of service (DoS) attack. The CUDA software was released in 2006, when many of the recent vulnerabilities were discovered and patched.
Attack Vector
One of the vulnerabilities found in the CUDA software is that it may not be updated by server administrators. Vendors or contractors may install a new version of CUDA, but these updates are typically not pushed to end-users and are frequently not checked for integrity before being deployed. This means that if malicious code was introduced into any vulnerable software packages during an update, attackers could exploit these packages and cause a DoS attack.
The vulnerability discovered in the NVIDIA CUDA software presents a significant risk because most of the vulnerable packages on Linux or Windows servers are not regularly updated by end users, which makes them susceptible to attack.
Vulnerability overview
As the NVIDIA CUDA software is installed on servers, it is susceptible to buffer overflow vulnerabilities. Buffer overflows allow attackers to inject malicious code into the server, which may lead to a remote denial of service (DoS) attack.
The vulnerability CVE-2022-34667 was found in one of these vulnerable packages, libcudart. The vulnerability allowed an attacker with remote access and a password of “NVIDIA” to execute arbitrary code as root on a targeted system running NVIDIA CUDA software.
Timeline
Published on: 11/19/2022 00:15:00 UTC
Last modified on: 11/29/2022 15:37:00 UTC