CVE-2021-1071 in Jetson AGX Xavierinfo

Summary

by MITRE • 01/27/2021

NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to information disclosure.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/20/2021

The vulnerability identified as CVE-2021-1071 affects NVIDIA Tegra kernel implementations across multiple Jetson embedded platforms including the AGX Xavier Series, Xavier NX, TX1, TX2, Nano, and Nano 2GB devices. This issue resides within the INA3221 driver component that manages power monitoring capabilities for these systems. The vulnerability stems from inadequate access control mechanisms that fail to properly restrict access to sensitive power consumption data, creating a potential information disclosure risk for unauthorized system users.

This security flaw represents a critical access control vulnerability classified under CWE-284, which specifically addresses improper access control in software systems. The INA3221 driver is responsible for monitoring and reporting power usage statistics from various system components, including CPU, GPU, and memory subsystems. The improper access control allows malicious actors to extract detailed power consumption metrics that could reveal system configuration, operational patterns, and potentially sensitive information about the device's workload characteristics. The vulnerability exists across all L4T versions prior to r32.5, indicating a widespread impact across multiple generations of NVIDIA's embedded computing platforms.

The operational impact of this vulnerability extends beyond simple information disclosure, as power usage data can provide adversaries with valuable insights into system behavior and resource utilization patterns. Attackers could leverage this information to understand system performance characteristics, identify potential attack vectors, or even correlate power consumption data with specific application activities to infer system contents or operational states. This information could be particularly valuable in embedded systems where power consumption patterns may correlate with sensitive operations or data processing activities, potentially enabling more sophisticated attacks against the target platform.

From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1082, which involves discovering system information through reconnaissance activities. The exposure of power monitoring data could facilitate further reconnaissance efforts and potentially enable attackers to craft more targeted attacks against the system. Organizations utilizing affected NVIDIA Jetson platforms should prioritize immediate patching to address this access control weakness and prevent unauthorized access to critical system telemetry data that could be exploited for broader security compromises.

The remediation strategy involves updating to NVIDIA L4T version r32.5 or later, which includes proper access control measures for the INA3221 driver. System administrators should also implement additional monitoring of power consumption data access patterns to detect potential unauthorized access attempts. Security teams should conduct comprehensive vulnerability assessments across all affected platforms to ensure complete remediation and verify that proper access controls have been implemented throughout the system architecture.

Responsible

NVIDIA Corporation

Reservation

11/12/2020

Disclosure

01/27/2021

Moderation

accepted

CPE

ready

EPSS

0.00273

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!