Multiple vulnerabilities in Jetson Linux
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2021-1106 CVE-2021-1107 CVE-2021-1108 CVE-2021-1109 CVE-2021-1110 CVE-2021-1111 CVE-2021-1112 CVE-2021-1113 CVE-2021-1114 |
| CWE-ID | CWE-264 CWE-284 CWE-190 CWE-399 CWE-20 CWE-119 CWE-476 CWE-416 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Jetson AGX Xavier series Hardware solutions / Firmware Jetson Xavier NX Hardware solutions / Firmware Jetson TX2 series Hardware solutions / Firmware Jetson TX2 NX Hardware solutions / Firmware Jetson Nano Hardware solutions / Firmware Jetson Nano 2GB Hardware solutions / Firmware Jetson TX1 Hardware solutions / Firmware |
| Vendor |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Security restrictions bypass
EUVDB-ID: #VU55581
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1106
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists in nvmap in NVIDIA Linux kernel distributions due to possibility to perform writes to read-only buffers. A local user can execute arbitrary code with kernel privileges.
Install updates from vendor's website.
Vulnerable software versionsJetson AGX Xavier series: before 32.6.1
Jetson Xavier NX: before 32.6.1
Jetson TX2 series: before 32.6.1
Jetson TX2 NX: before 32.6.1
Jetson Nano: before 32.6.1
Jetson Nano 2GB: before 32.6.1
Jetson TX1: before 32.6.1
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5216
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU55582
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1107
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access control restrictions in nvmap NVMAP_IOC_WRITE* paths. A local user can execute arbitrary code with kernel privileges.
Install updates from vendor's website.
Vulnerable software versionsJetson AGX Xavier series: before 32.6.1
Jetson Xavier NX: before 32.6.1
Jetson TX2 series: before 32.6.1
Jetson TX2 NX: before 32.6.1
Jetson Nano: before 32.6.1
Jetson Nano 2GB: before 32.6.1
Jetson TX1: before 32.6.1
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5216
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Integer overflow
EUVDB-ID: #VU55583
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1108
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
Description
The vulnerability allows a local user to escalate privileges on the system.
Install updates from vendor's website.
Vulnerable software versionsJetson AGX Xavier series: before 32.6.1
Jetson Xavier NX: before 32.6.1
Jetson TX2 series: before 32.6.1
Jetson TX2 NX: before 32.6.1
Jetson Nano: before 32.6.1
Jetson Nano 2GB: before 32.6.1
Jetson TX1: before 32.6.1
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5216
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource management error
EUVDB-ID: #VU55584
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1109
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources. A multistep, timing-related vulnerability where an unauthorized modification by camera resources may result in denial of service.
Install updates from vendor's website.
Vulnerable software versionsJetson AGX Xavier series: before 32.6.1
Jetson Xavier NX: before 32.6.1
Jetson TX2 series: before 32.6.1
Jetson TX2 NX: before 32.6.1
Jetson Nano: before 32.6.1
Jetson Nano 2GB: before 32.6.1
Jetson TX1: before 32.6.1
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5216
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU55585
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1110
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in camera firmware. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsJetson AGX Xavier series: before 32.6.1
Jetson Xavier NX: before 32.6.1
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5216
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU55586
Risk: Low
CVSSv3.1: 5.8 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1111
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows an attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Bootloader. An attacker with physical access through USB to the system can trigger memory corruption and execute arbitrary code.
MitigationInstall updates from vendor's website.
Vulnerable software versionsJetson AGX Xavier series: before 32.6.1
Jetson Xavier NX: before 32.6.1
Jetson TX2 series: before 32.6.1
Jetson TX2 NX: before 32.6.1
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5216
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) NULL pointer dereference
EUVDB-ID: #VU55588
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1112
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in nvmap. A local userr can pass specially crafted data to the system and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsJetson AGX Xavier series: before 32.6.1
Jetson Xavier NX: before 32.6.1
Jetson TX2 series: before 32.6.1
Jetson TX2 NX: before 32.6.1
Jetson Nano: before 32.6.1
Jetson Nano 2GB: before 32.6.1
Jetson TX1: before 32.6.1
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5216
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Security restrictions bypass
EUVDB-ID: #VU55589
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1113
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
Description
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to unauthorized modification by camera resources. A local user can perform a denial of service attack.
Install updates from vendor's website.
Vulnerable software versionsJetson AGX Xavier series: before 32.6.1
Jetson Xavier NX: before 32.6.1
Jetson TX2 series: before 32.6.1
Jetson TX2 NX: before 32.6.1
Jetson Nano: before 32.6.1
Jetson Nano 2GB: before 32.6.1
Jetson TX1: before 32.6.1
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5216
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free
EUVDB-ID: #VU55587
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-1114
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
Description
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in the kernel crypto node. A local user can trigger a use-after-free error and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsJetson AGX Xavier series: before 32.6.1
Jetson Xavier NX: before 32.6.1
Jetson TX2 series: before 32.6.1
Jetson TX2 NX: before 32.6.1
External linkshttp://nvidia.custhelp.com/app/answers/detail/a_id/5216
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
