Security Bulletin: NVIDIA Jetson TX1 and TX2 L4T - April 2019

NVIDIA has released software security updates for NVIDIA® Jetson™ TX1 and TX2 in the NVIDIA® Tegra® Linux Driver Package (L4T). The update addresses issues that may lead to code execution, denial of service, escalation of privileges, or information disclosure. To protect your system, download available updates from NVIDIA DevZone. Go to NVIDIA Product Security.

Details

This section summarizes the potential impact that this security update addresses. Descriptions use CWE™, and base scores and vectors follow CVSS V3 standards.

7.1

| AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE‑2019‑5672 | NVIDIA Linux for Tegra (L4T) contains a vulnerability in which the Secure Shell (SSH) keys provided in the sample rootfs are not replaced by unique host keys after sample rootsfs generation and flashing, which may lead to information disclosure. | 6.8 | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVE‑2017‑6274 | NVIDIA Tegra kernel contains a vulnerability in the CORE dynamic voltage and frequency scaling (DVFS) thermal driver in which there is the potential to read or write a buffer using an index or pointer that references a memory location after the end of the buffer, which may lead to a denial of service or escalation of privileges. | 6.7 |

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2018‑3665 | NVIDIA Tegra TX2 contains a vulnerability, which through the use of speculative execution, may disclose register contents in an unauthorized manner which may lead to information disclosure. | 5.6 | AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE‑2018‑6239 | NVIDIA Tegra TX2 contains a vulnerability by means of speculative execution where local and unprivileged code may access the contents of cached information in an unauthorized manner, which may lead to information disclosure. | 5.6 | AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE‑2018‑3639 | Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. | 4.3 | AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

Security Updates

The following table lists the NVIDIA software products and versions affected, and the updated versions that include this security update.

Download the updates from NVIDIA DevZone.

Notes

• Affected versions include the versions listed and all earlier branches and releases.
• If you are using an unsupported version or an earlier unsupported branch, upgrade to the latest supported version. To identify products that are no longer supported,contact NVIDIA Support.

Mitigations

See Security Updates for the versions to install.

Acknowledgements

CVE-2019-5672: NVIDIA thanks Jesse Raffa for reporting this issue.