NvidiaNVIDIA:5343Security Bulletin: NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, Jetson TX1, Jetson TX2 Series (including Jetson TX2 NX) - April 2022
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
7.3 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
0.0004 Low
EPSS
Percentile
9.7%
NVIDIA has released a software update for NVIDIA® Jetson AGX Xavier™ series, Jetson Xavier™ NX, Jetson TX1, Jetson TX2 series (including Jetson TX2 NX) in the NVIDIA JetPack™ software development kit (SDK). The update addresses security issues that may lead to denial of service, escalation of privileges, and impacts to data integrity and confidentiality. To protect your system, download and install the latest NVIDIA JetPack SDK from NVIDIA DevZone.
Go to NVIDIA Product Security.
Details
This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.
| CVE ID | Description | Base Score | Vector |
|---|---|---|---|
| CVE‑2022‑28193 | NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot module tegrabl_cbo.c, where insufficient validation of untrusted data may allow a local attacker with elevated privileges to cause a memory buffer overflow, which may lead to code execution, loss of integrity, limited denial of service, and some impact to confidentiality. |
5.6 | AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L |
| CVE‑2022‑28194 | NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot module tegrabl_cbo.c, where, if TFTP is enabled, a local attacker with elevated privileges can cause a memory buffer overflow, which may lead to code execution, loss of Integrity, limited denial of service, and some impact to confidentiality. |
5.6 | AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L |
| CVE‑2022‑28195 | NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_read_file function, where insufficient validation of untrusted data may allow a highly privileged local attacker to cause a integer overflow, which may lead to code execution, escalation of privileges, limited denial of service, and some impact to confidentiality and integrity. The scope of impact can extend to other components. |
5.7 | AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L |
| CVE‑2022‑28196 | NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot blob_decompress function, where insufficient validation of untrusted data may allow a local attacker with elevated privileges to cause a memory buffer overflow, which may lead to code execution, limited loss of Integrity, and limited denial of service.The scope of impact can extend to other components. |
4.6 | AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L |
| CVE‑2022‑28197 | NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cboot ext4_mount function, where Insufficient validation of untrusted data may allow a highly privileged local attacker to cause an integer overflow. This difficult- to-exploit vulnerability may lead to code execution, escalation of privileges, limited denial of service, and some impact to confidentiality and integrity. The scope of impact can extend to other components. |
5.0 | AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L |
The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends evaluating the risk to your specific configuration.
Security Updates
The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.
| CVE IDs Addressed | Software Product | Operating System | Affected Versions | Updated Version |
|---|---|---|---|---|
| CVE‑2022‑28193 | ||||
| CVE‑2022‑28194 | ||||
| CVE‑2022‑28195 | ||||
| CVE‑2022‑28197 | Jetson AGX Xavier series, | |||
| Jetson Xavier NX | Jetson Linux | All versions prior to 32.7.2 | 32.7.2 | |
| CVE‑2022‑28196 | Jetson AGX Xavier series, | |||
| Jetson Xavier NX, | ||||
| Jetson TX2 NX, | ||||
| Jetson TX2 series | Jetson Linux | All versions prior to 32.7.2 | 32.7.2 |
Notes:
- Earlier software branch releases that support this product are also affected. If you are using an earlier branch release, upgrade to the latest branch release.
Mitigations
None. See Security Updates for the version to install.
Acknowledgements
NVIDIA thanks Galen Schretlen of Worldcoin for reporting issues CVE‑2022‑28193, CVE‑2022‑28194, CVE‑2022‑28195, CVE‑2022‑28196, and CVE‑2022‑28197.
| CPE | Name | Operator | Version |
|---|---|---|---|
| jetson agx xavier series | lt | 32.7.2 | |
| jetson xavier nx | lt | 32.7.2 | |
| jetson tx2 nx | lt | 32.7.2 | |
| jetson tx2 series | lt | 32.7.2 |
Related
4.6 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
7.3 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
0.0004 Low
EPSS
Percentile
9.7%