Bug in NVIDIA’s Tegra Chipset Opens Door to Malicious Code Execution

Researcher creates ‘Selfblow’ proof-of-concept attack for exploiting a vulnerability that exists in “every single Tegra device released so far”.

A flaw impacting millions of mobile and internet of things (IoT) devices running NVIDIA’s Tegra processor opens the door for a variety of attacks, including device hijacking or siphoning of data.

The warning comes from researcher Triszka Balázs, who discovered the flaw and asserts that the bug “affects every single Tegra device released so far.” He also created a proof-of-concept (PoC), called Selfblow, to exploit the vulnerability. On Thursday, NVIDIA released a patch for the bug (CVE‑2019‑5680) via a security bulletin.

The vulnerability is more specifically found in the Tegra system-on-a-chip (SoC) framework called Jetson TX1 L4T, used in devices that require low power consumption such as drones and IoT gear. It’s unclear how many chips utilize the vulnerable framework. However, the researcher said his PoC can flash (or reprogram) Tegra chips to run Jetson TX1, significantly enlarging the range of vulnerable devices.

“[The] proof of concept is using blobs from the Shield TV r30 release. In this example, running the flash_exploit.sh it can be flashed to the Jetson TX1. After booting the TX1 it will print a ‘Secure boot is broken!\n’ message to the uart0 before going into an infinite loop,” Balázs wrote.

The researcher’s PoC leverages what is called a cold-boot attack. That is when sensitive data becomes available to attackers via a computer’s RAM because the machine wasn’t shut down properly.

“This is an untethered cold-boot exploit, and as far as I can tell it affects every single Tegra device released so far. (Except the Nintendo Switch since it uses a custom bootloader.) Completely defeats secure boot even on latest firmware,” the researcher said. Secure boot is a security standard to help ensure that a device boots using only software that is trusted.

The high-severity bug (rated 7.7 on the Common Vulnerability Scoring System scale) traces back to the Tegra bootloader and a flaw in the “nvtboot” command, used for loading chip-level firmware.

“The bootloader contains a vulnerability in nvtboot in which the nvtboot-cpu image is loaded without the load address first being validated, which may lead to code execution, denial of service or escalation of privileges,” wrote NVIDIA.

One way to exploit the vulnerability, Balázs said, is for a local adversary to access and write to the chip’s embedded MultiMediaCard (eMMC). If that can’t be done at the local level, the researcher said, it can be done via his PoC (Selfblow). The PoC, for example, can be delivered via a malicious Android app or booby-trapped website that can write to the eMMC.

“You visit a website. It triggers a JavaScript bug. From that the attacker gains root in your device,” he told Threatpost. “This is temp root. To gain permanent one, the adversary flashes this to your device and takes over even higher rights, since this gives the bad guy even more permissions.”

For that reason, the researcher believes NVIDIA is slightly downplaying risks associated with the bug. On Twitter he wrote: “In the end @nvidia given me a CVE. CVE‑2019‑5680. It got a 7.7 score, but the correct one is 8.1, since it doesn’t require user interaction.”

NVIDIA did not return requests for comment.

Balázs first identified the bug in March. He said NVIDIA said it would fix the bug by May. “After four months I decided to give this to the public in good faith that will encourage them in fixing it so we can have a better, more secure devices,” he wrote on GitHub. On Thursday, NVIDIA released the patch.

Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More

Suggested articles

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.