Source: www.securityweek.com – Author: Ryan Naraine
Artificial intelligence tech giant Nvidia has flagged a major security flaw in its NeMo generative-AI framework, warning that malicious hackers can execute code and tamper with data on systems utilizing the platform.
“NeMo contains a vulnerability in SaveRestoreConnector where a user may cause a path traversal issue via an unsafe .tar file extraction. A successful exploit of this vulnerability may lead to code execution and data tampering,” the company said in an advisory.
Nvidia tagged the issue as CVE-2024-0129 with a CVSS severity score of 6.3/10. The issue affects the framework on Windows, Linux and MacOS systems.
The company released a patch on the NeMo GitHub repository and urged users to upgrade all instances to version r2.0.0rc0 or later.
Nvidia NeMo is used to streamline the development of custom generative AI that includes large language models (LLMs), multimodal, vision, and speech AI.
It provides tooling for enterprises looking to build tailored gen-AI products with features for fine-tuning, model training, and inference on platforms ranging from data centers to edge devices.
The NeMo framework helps developers to efficiently create, customize, and deploy new generative AI models by leveraging existing code and pre-trained model checkpoints.
Related: Critical Nvidia Flaw Exposes Cloud AI Systems to Host Takeover
Advertisement. Scroll to continue reading.
Related: Nvidia Patches High-Risk Vulnerabilities in AI, Networking Products
Related: Nvidia Patches High-Severity GPU Driver Vulnerabilities
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
Daily Briefing Newsletter
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization’s data security and resilience.
The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
Original Post URL: https://www.securityweek.com/code-execution-data-tampering-flaw-in-nvidia-nemo-gen-ai-framework/
Category & Tags: Artificial Intelligence,Vulnerabilities,code execution,data tampering,generative AI,NeMo,NVIDIA – Artificial Intelligence,Vulnerabilities,code execution,data tampering,generative AI,NeMo,NVIDIA
Views: 2
