ASA-2019-00462 – NVIDIA Tegra Bootloader: Arbitrary memory write due to insufficient address validation


Allele Security Alert

ASA-2019-00462

Identifier(s)

ASA-2019-00462, CVE-2019-5680

Title

Arbitrary memory write due to insufficient address validation

Vendor(s)

NVIDIA

Product(s)

NVIDIA Jetson TX1

Affected version(s)

NVIDIA Jetson TX1 release branch R32 before R32.2 running on Linux for Tegra

Fixed version(s)

NVIDIA Jetson TX1 version R32.2

Proof of concept

Yes

Description

NVIDIA Tegra bootloader contains a vulnerability in nvtboot in which the nvtboot-cpu image is loaded without the load address first being validated, which may lead to code execution, denial of service, or escalation of privileges.

Technical details

After checking the magic in the header, the nvtboot reads the entire TBC partition (size stored in the GPT) where LoadAddressInsecure points to. If that points to nvtboot in the memory, it’s possible to overwrite it, leading to unsigned code execution on the BPMP. This can be used to load the rest of the bootchain without checking the signatures.

Credits

Balázs Triszka

Reference(s)

Security Bulletin: NVIDIA Jetson TX1 L4T – July 2019
https://nvidia.custhelp.com/app/answers/detail/a_id/4835

balika011/selfblow
https://github.com/balika011/selfblow

CVE-2019-5680
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5680

CVE-2019-5680
https://nvd.nist.gov/vuln/detail/CVE-2019-5680

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.