Allele Security Alert
ASA-2019-00462
Identifier(s)
ASA-2019-00462, CVE-2019-5680
Title
Arbitrary memory write due to insufficient address validation
Vendor(s)
NVIDIA
Product(s)
NVIDIA Jetson TX1
Affected version(s)
NVIDIA Jetson TX1 release branch R32 before R32.2 running on Linux for Tegra
Fixed version(s)
NVIDIA Jetson TX1 version R32.2
Proof of concept
Yes
Description
NVIDIA Tegra bootloader contains a vulnerability in nvtboot in which the nvtboot-cpu image is loaded without the load address first being validated, which may lead to code execution, denial of service, or escalation of privileges.
Technical details
After checking the magic in the header, the nvtboot reads the entire TBC partition (size stored in the GPT) where LoadAddressInsecure points to. If that points to nvtboot in the memory, it’s possible to overwrite it, leading to unsigned code execution on the BPMP. This can be used to load the rest of the bootchain without checking the signatures.
Credits
Balázs Triszka
Reference(s)
Security Bulletin: NVIDIA Jetson TX1 L4T – July 2019
https://nvidia.custhelp.com/app/answers/detail/a_id/4835
balika011/selfblow
https://github.com/balika011/selfblow
CVE-2019-5680
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5680
CVE-2019-5680
https://nvd.nist.gov/vuln/detail/CVE-2019-5680
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 25, 2019