CVE-2020-11488Improper Verification of Cryptographic Signature in Intel BMC Firmware

CWE-347Improper Verification of Cryptographic Signature3 documents3 sources
Severity
6.7MEDIUMNVD
EPSS
0.0%
top 86.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Intel BMC FirmwareNvidia DGX Servers
Timeline
PublishedOct 29
Latest updateMay 24

Description

NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which software does not validate the RSA 1024 public key used to verify the firmware signature, which may lead to information disclosure or code execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

NVDintel/bmc_firmware< 3.38.30+1
CVEListV5nvidia/nvidia_dgx_serversAll DGX-1 with BMC firmware versions prior to 3.38.30, and all DGX-2 with BMC firmware versions prior to 1.06.06

🔴Vulnerability Details

2
GHSA
GHSA-w889-q2h7-4gw3: NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 32022-05-24
CVEList
CVE-2020-11488: NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 32020-10-29