Credit: ShutterstockNvidia released a security update for the Jetson TX1 in the Tegra Linux Driver Package (L4T) on July 18. The associated security bulletin offered precious few details about what Nvidia fixed, but on GitHub, a researcher named Triszka Balázs revealed that the company was patching a flaw that enabled malicious code execution on “every single Tegra device released so far” via what he called the Selfblow exploit.
The flaw involved an issue with the Tegra bootloader. Balázs explained that “nvtboot (NVC) loads nvtboot-cpu (TBC) without validating the load address first, leading to arbitrary memory write,” which means the Selfblow exploit “completely defeats secure boot even on latest firmware.” (There is an exception in the Nintendo Switch–the console uses a different bootloader and thus wasn’t affected by this flaw.)
Balázs said he disclosed the vulnerability to Nvidia on March 9 with plans to publicly reveal it on June 15. That’s longer than most researchers give companies to respond to security flaws–the industry standard is 90 days–but it still wasn’t long enough for Nvidia to address the issue. Balázs claimed that Nvidia said it would fix the flaw in May, but then it didn’t even assign a CVE identifier until July.
So he “decided to give this to the public in good faith that [it] will encourage them in fixing it so we can have a better, more secure devices.” Nvidia responded by releasing the security update on July 18, but Balázs still wasn’t content, updating his GitHub “readme” to say Nvidia didn’t include reference to Selfblow in the security bulletin and made a mistake gauging the flaw’s severity on the CWE scale.
Nvidia “corrected the summary to describe potential impacts more accurately” on July 19. It also thanked Balázs for discovering and disclosing the vulnerability. More information about the security update can be found via the Nvidia DevZone, from where it can also be downloaded. There is no other mitigation for the Selfblow exploit; the only way to defend a device using the Tegra chipset is to install this update.