Lucene search

K
nvidiaNvidiaNVIDIA:5147
HistoryJan 01, 2021 - 12:00 a.m.

Security Bulletin: NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB - January 2021

2021-01-0100:00:00
nvidia.custhelp.com
49

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

80.8%

NVIDIA has released a software update for Jetson AGX Xavier™, Jetson Xavier NX, Jetson™ TX1, Jetson TX2, Jetson Nano™, and Jetson Nano 2GB in the NVIDIA® JetPack™ software development kit (SDK) 4.5. The update addresses security issues that may lead to denial of service, data loss, and information disclosure. To protect your system, download and install the latest NVIDIA JetPack SDK from NVIDIA DevZone. Go to NVIDIA Product Security.

Details

This section provides a summary of potential vulnerabilities and their impact that this security update addresses. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

CVE IDs Description Base Score Vector
CVE‑2021‑1070 NVIDIA L4T contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an unprivileged user being able to modify system device tree files, leading to denial of service. 7.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVE‑2021‑1069

NVIDIA Tegra® kernel driver contains a vulnerability in NVHost in which the variable can be null, which may lead to a null pointer dereference and unexpected reboot, leading to data loss.

| 6.1 | AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CVE‑2021‑1071 | NVIDIA Tegra kernel contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to information disclosure. | 5.6 | AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

Security Updates

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

CVE IDs Addressed Software Product Operating System Affected Versions Updated Version
CVE‑2021‑1069 CVE‑2021‑1070 CVE‑2021‑1071 Jetson TX1, TX2 series,Jetson AGX Xavier series, Jetson Xavier NX, Jetson Nano, and Jetson Nano 2GB Linux for Tegra (L4T) All versions prior to L4T release r32.5 L4T release r32.5

Notes:

  • Earlier software branch releases that support this product are also affected. If you are using an earlier branch release, upgrade to the latest branch release.

Mitigations

See Security Updates for the version to install.

Acknowledgements

NVIDIA thanks following individuals for reporting the issues:

  • CVE-2020-1069: Billy Laws
  • CVE‑2021‑1070: Michael de Gans

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.008 Low

EPSS

Percentile

80.8%