CVE-2021-1120 – This vulnerability in NVIDIA vGPU software allo... (How to Fix)

Q: What is the severity of CVE-2021-1120?

CVE-2021-1120 has a CVSS score of 7.0 (HIGH). This vulnerability in NVIDIA vGPU software allows a guest operating system to pass improperly terminated strings to the Virtual GPU Manager plugin. This could enable attackers with guest OS access to cause information disclosure, data tampering, code execution, or denial of service. It affects organizations using NVIDIA vGPU technology for virtualization.

📋 TL;DR

This vulnerability in NVIDIA vGPU software allows a guest operating system to pass improperly terminated strings to the Virtual GPU Manager plugin. This could enable attackers with guest OS access to cause information disclosure, data tampering, code execution, or denial of service. It affects organizations using NVIDIA vGPU technology for virtualization.

💻 Affected Systems

Products:

NVIDIA Virtual GPU Manager (vGPU plugin)

Versions: vGPU software versions prior to 11.4

Operating Systems: Linux (host systems running NVIDIA vGPU software)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects environments using NVIDIA vGPU technology for GPU virtualization. Guest OS must have vGPU access.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized code execution on the host system, potentially compromising the entire virtualization environment and all guest VMs.

🟠

Likely Case

Denial of service affecting vGPU functionality or information disclosure from the vGPU plugin memory.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent guest-to-host escalation.

🌐 Internet-Facing: LOW - This vulnerability requires guest OS access, not direct internet exposure.

🏢 Internal Only: HIGH - Malicious insiders or compromised guest VMs could exploit this to affect the virtualization host.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires guest OS access and knowledge of vGPU plugin internals. No public exploits known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: vGPU software version 11.4 and later

Vendor Advisory: https://nvidia.custhelp.com/app/answers/detail/a_id/5230

Restart Required: Yes

Instructions:

1. Download vGPU software version 11.4 or later from NVIDIA portal. 2. Stop all VMs using vGPU. 3. Update vGPU software on host. 4. Restart host. 5. Verify version with 'nvidia-smi -q'.

🔧 Temporary Workarounds

Isolate vGPU-enabled VMs

all

Segment vGPU-enabled virtual machines onto separate networks/hosts from critical infrastructure

Restrict vGPU access

all

Limit which users/VMs have vGPU capabilities to reduce attack surface

🧯 If You Can't Patch

Implement strict network segmentation between vGPU-enabled VMs and critical systems
Monitor vGPU plugin logs for unusual activity and implement strict access controls for guest VMs

🔍 How to Verify

Check if Vulnerable:

Check vGPU software version with 'nvidia-smi -q' and compare to affected versions (pre-11.4)

Check Version:

nvidia-smi -q | grep 'Driver Version'

Verify Fix Applied:

Verify version is 11.4 or later with 'nvidia-smi -q' and test vGPU functionality

📡 Detection & Monitoring

Log Indicators:

Unusual vGPU plugin errors
Guest VM attempts to send malformed vGPU requests
System crashes related to vGPU service

Network Indicators:

Unusual traffic patterns from vGPU-enabled VMs to host management interfaces

SIEM Query:

source="vGPU-plugin" AND (error OR crash OR "null termination")

📊 Metadata

CVE ID: CVE-2021-1120

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-170

Published: October 29, 2021

Last Updated: November 21, 2024

🔗 References

https://nvidia.custhelp.com/app/answers/detail/a_id/5230 Vendor Advisory
https://nvidia.custhelp.com/app/answers/detail/a_id/5230 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-1120, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Virtual Gpu by Nvidia

Virtual Gpu by Nvidia

Virtual Gpu by Nvidia

Virtual Gpu by Nvidia

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Isolate vGPU-enabled VMs

Restrict vGPU access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities