Security News Vulnerability in NVIDIA Tegra Chipsets Allows for Code Execution (bug requires physical access to affected hardware)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A vulnerability in NVIDIA's Tegra chipsets allows for the execution of custom code on locked-down devices, security researcher Kate Temkin reveals.


Dubbed Fusée Gelée, this exploit leverages a coldboot vulnerability through which an attacker could achieve full, unauthenticated arbitrary code execution from an early bootROM context via Tegra Recovery Mode (RCM), the security researcher says.


The code is executed on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, which results in the compromise of the entire root-of-trust for each processor, while also allowing for the exfiltration of secrets.


In a technical report (PDF) detailing the flaw, Temkin notes that the issue is that an attacker can control the length of a copy operation in the USB software stack inside the boot instruction rom (IROM/bootROM). Thus, through a specially crafted USB control request, the contents of an attacker-controlled buffer can be copied over the active execution stack, gaining control of BPMP.
The attacker can then abuse the execution to exfiltrate secrets and load arbitrary code onto the main CPU Complex (CCPLEX) application processors. The code would be executed at the highest possible level of privilege (as the TrustZone Secure Monitor at PL3/EL3).


Impacting the Tegra chipset, the vulnerability is independent of software stack. However, the security bug does requires physical access to the affected hardware and cannot be exploited remotely.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top