SB2022042626 - Multiple vulnerabilities in NVIDIA Jetson Linux Driver Package

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2022-28193)

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to a boundary error  in the Cboot module tegrabl_cbo.c. A local attacker with physical access to the system can trigger memory corruption and execute arbitrary code with elevated privileges.

2) Buffer overflow (CVE-ID: CVE-2022-28194)

The vulnerability allows a local attacker to escalate privileges on the system.

The vulnerability exists due to a boundary error  in the Cboot module tegrabl_cbo.c. A local attacker with physical access to the system can trigger memory corruption and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability requires that TFTP is enabled.

3) Integer overflow (CVE-ID: CVE-2022-28195)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer overflow in the Cboot ext4_read_file function. A local user can trigger an integer overflow and execute arbitrary code with elevated privileges.

4) Integer overflow (CVE-ID: CVE-2022-28197)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer overflow in the Cboot ext4_mount function. A local user can trigger an integer overflow and execute arbitrary code with elevated privileges.

5) Buffer overflow (CVE-ID: CVE-2022-28196)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the Cboot blob_decompress. A local user can trigger memory corruption and execute arbitrary code with elevated privileges.

Remediation

Install update from vendor's website.

References

• https://nvidia.custhelp.com/app/answers/detail/a_id/5343