New vulnerabilities have been found in NVIDIA’s Jetson SoC framework that affects millions of graphics cards. These vulnerabilities may allow hackers to perform denial-of-service attacks and data theft, according to Threat Post.
The chipmaker is patching 9 high-level vulnerabilities related to the manufacturing process of low-level encryption methods. Affected NVIDIA chipsets include those found in embedded machine learning systems, computing systems, and even standalone devices such as robots and drones.
With the released the June security bulletin on Friday, NVIDIA wants to fix the bugs and NVIDIA has thanked bug hunter Frédéric Perriot of Apple Media Products RedTeam for reporting the vulnerabilities.
Some of the products affected by these new vulnerabilities are Jetson Nano devices (including Jetson Nano 2GB), Xavier NX/TX1, AGX Xavier, Jetson TX2 (including Jetson TX2 NX).
The most important vulnerability
CVE-2021-34372 is the most important vulnerability that exposes the Jetson framework to a buffer overflow attack by an attacker. Although NVIDIA Security Bulletin explains that an attacker needs network access to perform an attack, they noted that low access rights are all it takes to launch it. After the intrusion, he may be able to control the target system by gaining permanent access to other components.
The security bulletin reads “[The Jetson] driver contains a vulnerability in the NVIDIA OTE protocol message parsing code where an integer overflow in a malloc() size calculation leads to a buffer overflow on the heap, which might result in information disclosure, escalation of privileges and denial of service (DoS)”.
The following vulnerabilities with the severity of 7 to 7.9 are included in the latest NVIDIA patch:
It is worth mentioning that the 7.9 rated flow severity affects the trusted Linux kernel of Jetson (CVE-2021-34373) and targets the component’s heap memory frame. From here the chipset can be manipulated to generate various errors. Moreover, 6 of these bugs can be exploited to trigger DDoS attacks.