9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
60.4%
NVIDIA has released software security updates for NVIDIA® Jetson™ TX1 and TX2 in the NVIDIA® Tegra® Linux Driver Package (L4T). The update addresses issues that may lead to code execution, denial of service, escalation of privileges, or information disclosure. To protect your system, download available updates from NVIDIA DevZone. Go to NVIDIA Product Security.
This section summarizes the potential impact that this security update addresses. Descriptions use CWE™, and base scores and vectors follow CVSS V3 standards.
CVE | Description | Base Score | Vector |
---|---|---|---|
CVE‑2018‑6269 | NVIDIA Tegra kernel driver contains a vulnerability in input/output control (IOCTL) handling for user mode requests in which a non-trusted pointer dereference may be made, which may lead to information disclosure, denial of service, escalation of privileges, or code execution. | 8.8 | AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
CVE‑2017‑6278 | NVIDIA Tegra kernel contains a vulnerability in the CORE dynamic voltage and frequency scaling (DVFS) thermal driver in which there is the potential to read or write a buffer using an index or pointer that references a memory location after the end of the buffer, which may lead to a denial of service or escalation of privileges. | 8.4 | AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE‑2018‑6267 | NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which a missing user metadata check may allow invalid metadata to pass as valid metadata, which may lead to a denial of service or escalation of privileges. | 8.4 | AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE‑2018‑6271 | NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in which input is invalid or erroneously validated and could affect the control flow or data flow of a program, which may lead to denial of service or escalation of privileges. | 8.4 | AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE‑2019‑5673 | NVIDIA Tegra kernel driver contains a vulnerability in the ARM System Memory Management Unit (SMMU) in which an improper check for a fault condition causes transactions to be discarded, which may lead to denial of service. | 7.9 | AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H |
CVE‑2018‑6268 | NVIDIA Tegra OpenMax driver (libnvomx) contains a vulnerability in libnvmmlite_video.so, in which referencing memory after it has been freed may lead to denial of service or escalation of privileges. | 7.8 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE‑2017‑6284 | NVIDIA Security Engine contains a vulnerability in the Deterministic Random Bit Generator (DRBG) in which the data may not be properly initialized, which may lead to information disclosure. | 7.1 | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
CVE‑2017‑0330 | NVIDIA Tegra kernel contains a vulnerability in NVIDIA crypto driver in which a pointer passed from a user to the driver is not correctly validated which may lead to denial of service or escalation of privileges. |
7.1
| AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE‑2019‑5672 | NVIDIA Linux for Tegra (L4T) contains a vulnerability in which the Secure Shell (SSH) keys provided in the sample rootfs are not replaced by unique host keys after sample rootsfs generation and flashing, which may lead to information disclosure. | 6.8 | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVE‑2017‑6274 | NVIDIA Tegra kernel contains a vulnerability in the CORE dynamic voltage and frequency scaling (DVFS) thermal driver in which there is the potential to read or write a buffer using an index or pointer that references a memory location after the end of the buffer, which may lead to a denial of service or escalation of privileges. | 6.7 |
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE‑2018‑3665 | NVIDIA Tegra TX2 contains a vulnerability, which through the use of speculative execution, may disclose register contents in an unauthorized manner which may lead to information disclosure. | 5.6 | AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE‑2018‑6239 | NVIDIA Tegra TX2 contains a vulnerability by means of speculative execution where local and unprivileged code may access the contents of cached information in an unauthorized manner, which may lead to information disclosure. | 5.6 | AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE‑2018‑3639 | Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. | 4.3 | AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.
The following table lists the NVIDIA software products and versions affected, and the updated versions that include this security update.
Download the updates from NVIDIA DevZone.
CVE | Software Product | Operating System | Affected Versions | Updated Versions |
---|---|---|---|---|
CVE‑2017‑6278 CVE‑2018‑6271 CVE‑2019‑5672 CVE‑2018‑3639 CVE‑2018‑6267 CVE‑2018‑6268 CVE‑2017‑6274 CVE‑2017‑6284 CVE‑2017‑0330 | Jetson TX1 | Linux for Tegra | All versions prior to R28.3 | R28.3 |
CVE‑2018‑6269 CVE‑2017‑6278 CVE‑2018‑6271 CVE‑2019‑5673 CVE‑2019‑5672 CVE‑2018‑3639 CVE‑2018‑6267 CVE‑2018‑6268 CVE‑2017‑6274 CVE‑2017‑0330 CVE‑2018‑6239 CVE‑2018‑3665 | Jetson TX2 | Linux for Tegra | All versions prior to R28.3 | R28.3 |
Notes
See Security Updates for the versions to install.
CVE-2019-5672: NVIDIA thanks Jesse Raffa for reporting this issue.
CPE | Name | Operator | Version |
---|---|---|---|
jetson tx1 | lt | 28.3 | |
jetson tx2 | lt | 28.3 |
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.002 Low
EPSS
Percentile
60.4%