Home / Linux / NVIDIA Fixes Flaws in Linux4Tegra Driver for Jetson AI Supercomputers

NVIDIA Fixes Flaws in Linux4Tegra Driver for Jetson AI Supercomputers

NVIDIA Fixes Flaws in Linux4Tegra Driver for Jetson AI Supercomputers

NVIDIA released a security update for the Jetson TX1 and TX2 to patch vulnerabilities discovered in the Linux for Tegra (L4T or Linux4Tegra) driver package that could enable local attackers with basic user privileges to elevate privileges and to perform privilege escalation, denial-of-service (DoS) or information disclosure attacks.

As described by NVIDIA, Jetson TX1 and TX2 are high-performance and low-power embedded AI supercomputers on a module designed to be used for compute-intensive deep learning and computer vision projects.

While the fixed security flaws require local user access and cannot be exploited remotely, potential attackers could take advantage of them by planting malicious tools remotely by various means on a system running a vulnerable Tegra Linux Driver Package version.

NVIDIA Jetson modules

By taking advantage of unpatched code execution flaws would-be attackers are able to run code on compromised machines while triggering the vulnerabilities which lead to a denial of service state they can render machines unusable.

Attackers can also exploit any of the issues that lead to information disclosure to be able to gain valuable information about L4T systems where outdated versions of the Tegra Linux Driver Package are installed.

In addition, escalation of privileges CVEs will make it possible for malicious attackers to elevate their privileges and thus being able to obtain permissions beyond the ones initially granted by the system.

The fixed high severity security issues which received base score ratings above 8.0 from NVIDIA are detailed below, together with full descriptions and the assigned CVSS V3 Base Scores and Vectors.

CVE Description Base Score Vector
CVE‑2018‑6269 NVIDIA Tegra kernel driver contains a vulnerability in input/output control (IOCTL) handling for user mode requests in which a non-trusted pointer dereference may be made, which may lead to information disclosure, denial of service, escalation of privileges, or code execution. 8.8 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE‑2017‑6278 NVIDIA Tegra kernel contains a vulnerability in the CORE dynamic voltage and frequency scaling (DVFS) thermal driver in which there is the potential to read or write a buffer using an index or pointer that references a memory location after the end of the buffer, which may lead to a denial of service or escalation of privileges. 8.4 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE‑2018‑6267 NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which a missing user metadata check may allow invalid metadata to pass as valid metadata, which may lead to a denial of service or escalation of privileges. 8.4 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE‑2018‑6271 NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which input is invalid or erroneously validated and could affect the control flow or data flow of a program, which may lead to denial of service or escalation of privileges. 8.4 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Descriptions of all other security flaws affecting the NVIDIA Tegra Linux Driver Package (L4T) for the Jetson TX1 and TX2

According to NVIDIA’s security advisory, the “risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.”

The full list of security issues patched in this security update, as well as the NVIDIA software products and versions are listed below:

CVE Software Product Operating System Affected Versions Updated Versions
CVE‑2017‑6278
CVE‑2018‑6271
CVE‑2019‑5672
CVE‑2018‑3639
CVE‑2018‑6267
CVE‑2018‑6268
CVE‑2017‑6274
CVE‑2017‑6284
CVE‑2017‑0330
Jetson TX1 Linux for Tegra All versions prior to R28.3 R28.3
CVE‑2018‑6269
CVE‑2017‑6278
CVE‑2018‑6271
CVE‑2019‑5673
CVE‑2019‑5672
CVE‑2018‑3639
CVE‑2018‑6267
CVE‑2018‑6268
CVE‑2017‑6274
CVE‑2017‑0330
CVE‑2018‑6239
CVE‑2018‑3665
Jetson TX2 Linux for Tegra All versions prior to R28.3 R28.3

On February 25, NVIDIA released another security update for the NVIDIA GPU Display Driver that patched eight security issues that could have lead to code execution, escalation of privileges, denial of service, or information disclosure on vulnerable Windows and Linux machines.

Last week, the company also provided a security update to fix a vulnerability impacting the NVIDIA GeForce Experience when the ShadowPlay or GameStream features were enabled that could lead to code execution, denial of service, or escalation of privileges.

Loading...

>> Source Link

Check Also

Linux Code Reveals Intel’s New ‘Lightning Mountain’ SoC In The Making

As per reports, the silicon giant Intel is working on a new Atom SoC which …

%d bloggers like this: