NVIDIA Jetson Chips, which are implemented in millions of IoT devices have been detected with numerous security flaws that can lead to critical attacks, including denial-of-service (DoS) attacks.
June Security Bulletin Addresses NVIDIA Jetson bugs:
The NVIDIA Jetson line, in particular, consists of embedded Linux AI and computer vision compute modules and developer kits that primarily caters to AI-based computer vision applications and autonomous systems such as mobile robots and drones.
The technology company issued several security fixes, patching nine high-severity bugs, along with eight less-severity vulnerabilities in their June Security Bulletin.
The patches fix a wide swath of NVIDIA’s chipsets typically used for embedded computing systems, machine-learning applications, and autonomous devices such as robots and drones.
The products that were impacted in the NVIDIA Jetson chipset series are AGX Xavier, Xavier NX/TX1, Jetson TX2 (including Jetson TX2 NX), and Jetson Nano devices (including Jetson Nano 2GB) found in the NVIDIA JetPack software developers kit.
Important vulnerabilities in NVIDIA Jetsons:
Out of all the vulnerabilities, the one tracked as CVE‑2021‑34372, is the most critical security flaw and scores a severity rating of 8.2.
According to NVIDIA’s security report, it opens the Jetson chassis to a buffer over attack where a threat actor would require network access to a system to actually implement the attack.
However, it does note that that the security flaw is not complex to exploit and that malicious entities with low-level accesses can initiate the attack. A successful exploit of the vulnerability could allow attackers to compromise a target system or supply stable access to components barring the targeted chipset.
Eight other critical weaknesses involve memory corruption, stack overflows, and missing bounds checks in the TEE as well as heap overflows affecting the Bootloader that could lead to arbitrary code execution, denial-of-service, and information disclosure. The rest of the flaws, also related to Trusty and Bootloader, could be exploited to impact code execution, causing denial-of-service and information disclosure, the company noted.
Below listed are all the important vulnerabilities and the CVSS rating of all the NVIDIA Jetson security flaws:
|CVE‑2021‑34372||Trusty (the trusted OS produced by NVIDIA for Jetson devices) driver contains a vulnerability in the NVIDIA OTE protocol message parsing code where an integer overflow in a malloc() size calculation leads to a buffer overflow on the heap, which might result in information disclosure, escalation of privileges, and denial of service.||8.2|
|CVE‑2021‑34373||Trusty trusted Linux kernel (TLK) contains a vulnerability in the NVIDIA TLK kernel where a lack of heap hardening could cause heap overflows, which might lead to information disclosure and denial of service.||7.9|
|CVE‑2021‑34374||Trusty contains a vulnerability in command handlers where the length of input buffers is not verified. This vulnerability can cause memory corruption, which may lead to information disclosure, escalation of privileges, and denial of service.||7.7|
|CVE‑2021‑34375||Trusty contains a vulnerability in all trusted applications (TAs) where the stack cookie was not randomized, which might result in stack-based buffer overflow, leading to denial of service, escalation of privileges, and information disclosure.||7.7|
|CVE‑2021‑34376||Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 5 is missing. Improper restriction of operations within the bounds of a memory buffer might lead to denial of service, escalation of privileges, and information disclosure.||7.7|
|CVE‑2021‑34377||Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 9 is missing. Improper restriction of operations within the bounds of a memory buffer might lead to escalation of privileges, information disclosure, and denial of service.||7.7|
|CVE‑2021‑34378||Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 11 is missing. Improper restriction of operations within the bounds of a memory buffer might lead to information disclosure, denial of service, or escalation of privileges.||7.7|
|CVE‑2021‑34379||Trusty contains a vulnerability in the HDCP service TA where bounds checking in command 10 is missing. The length of an I/O buffer parameter is not checked, which might lead to memory corruption.||7.7|
|CVE‑2021‑34380||Bootloader contains a vulnerability in NVIDIA MB2 where potential heap overflow might cause corruption of the heap metadata, which might lead to arbitrary code execution, denial of service, and information disclosure during secure boot.||7.0|
Update to the latest version now!
The technology organization has also provided that previous branches of software releases of the products are also affected due to the vulnerabilities. Hence it is recommended that users update to their latest 32.5.1 release. The users who were already using the 32.5.1 release should update to the latest Debian packages.