Security Bulletin: NVIDIA Omniverse Kit - January 2023

NVIDIA has released a software update for NVIDIA Omniverse™ Kit to address a security issue that may lead to code execution, information disclosure, data tampering, and denial of service.

To protect your system, open the Omniverse Launcher and apply the appropriate update.

Go to NVIDIA Product Security.

Details

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

CVE ID	Description	Base Score	Vector
CVE‑2022‑42268	Omniverse Kit contains a vulnerability in the reference applications Create, Audio2Face, Isaac Sim, View, Code, and Machinima. These applications allow executable Python code to be embedded in Universal Scene Description (USD) files to customize all aspects of a scene. If a user opens a USD file that contains embedded Python code in one of these applications, the embedded Python code automatically runs with the privileges of the user who opened the file. As a result, an unprivileged remote attacker could craft a USD file containing malicious Python code and persuade a local user to open the file, which may lead to information disclosure, data tampering, and denial of service.	7.8	AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

Security Updates

The following table lists the NVIDIA software products affected, software versions affected, and the updated version that includes this security update.

The updated versions in the table disable the functionality that automatically runs embedded Python code when a USD file is opened. If you enable this functionality, open USD files only from trusted sources.

CVE IDs Addressed	Software Product	Affected Versions	Updated Version
CVE‑2022‑42268	Omniverse Audio2Face	All versions prior to 2022.2	2022.2
Omniverse Create	All versions prior to 2022.3	2022.3
NVIDIA Isaac Sim	All versions prior to 2022.2.0	2022.2.0
Omniverse Machinima	All versions prior to 2022.3	2022.3
Omniverse Code	All versions prior to 2022.3.0	2022.3.0
Omniverse View	All versions prior to 2022.2.1	2022.2.1

To protect your system, update your software by following the instructions for the launcher that you are using:

• Workstation Launcher (all users): Click theLibrarytab and follow the instructions in Updating an App in the User Guide forOmniverse Launcher.
• IT Managed Launcher, formerly known as the Enterprise Launcher (IT administrators only): Download the updated version from the Omniverse Enterprise portal and follow the instructions in Install Applications in the User Guide forOmniverse Launcher.

The IT Managed Launcher is designed for air-gapped networks. NVIDIA will notify enterprise contacts by email when an update is available.

After the application is updated, any extensions that support running embedded Python code in USD files will be disabled. To enable these extensions, follow the instructions in the Extension Manager Documentation.

Notes

• Earlier software releases that support this product also enable this functionality by default. If you are using an earlier release, upgrade to the latest release.

Mitigations

If you cannot install the updated versions, manually disable the following extensions:

• omni.kit.embedded_script
• omni.script.prim
• omni.graph.scriptnode

To disable these extensions, follow the instructions and video in the Extension Manager Documentation.

Acknowledgements

CVE‑2022‑42268 - NVIDIA thanks Shashi Bhushan for reporting this issue.