image
Nvidia has patched three vulnerabilities affecting its Jetson lineup, which is a series of embedded computing boards designed for machine-learning applications, in things like autonomous robots, drones and more. A successful exploit could potentially cripple any such gadgets leveraging the affected Jetson products, said Nvidia. If exploited, the most serious of these flaws could lead to a denial-of-service (DoS) condition for affected products. The flaw (CVE-2021-1070) ranks 7.1 out of 10 on the CVSS scale, making it high-severity. It specifically exists in the Nvidia Linux Driver Package (L4T), the board support package for Jetson products. Nvidia L4T contains a glitch in the apply_binaries.sh script. This script is used to install Nvidia components into the root file system image. The script allows improper access control, which may lead to an unprivileged user being able to modify system device tree files. Device trees are a data structure of the hardware components of a particular computer, which allow an operating system’s kernel to use and manage those components, including the CPU, memory, and peripherals. Access to a device tree file could allow an attacker to launch a DoS attack. Further details about the flaw – including what an attacker needs to exploit it – were not disclosed. The issue was discovered by programmer Michael de Gans. All versions prior to L4T release r32.5 are affected; a patch is available in L4T release r32.5. Specific Jetson products affected…

Source