CVE-2023-25518 : Security Advisory and Response
Learn about CVE-2023-25518 affecting NVIDIA Jetson AGX Xavier series and Jetson Xavier NX. Vulnerability in CBoot component can lead to code execution, denial of service, and information disclosure.
This is a detailed overview of CVE-2023-25518, a vulnerability identified in NVIDIA Jetson products, specifically related to the CBoot component.
Understanding CVE-2023-25518
The CVE-2023-25518 vulnerability affects NVIDIA Jetson AGX Xavier series and Jetson Xavier NX products. It stems from a flaw in CBoot, where the PCIe controller is initialized without IOMMU protection. This vulnerability could potentially allow an attacker with physical access to the device to read and write to arbitrary memory, leading to severe consequences such as code execution, denial of service, information disclosure, and loss of integrity.
What is CVE-2023-25518?
The vulnerability in CBoot in NVIDIA Jetson products allows unauthorized access to system memory, which can be exploited by an attacker with physical proximity to the device. By exploiting this flaw, attackers can execute arbitrary code, disrupt services, access sensitive information, and compromise the system's integrity.
The Impact of CVE-2023-25518
The impact of CVE-2023-25518 is significant, with the potential for code execution, denial of service attacks, information disclosure, and integrity compromise. This vulnerability poses a serious risk to the security and stability of affected NVIDIA Jetson devices.
Technical Details of CVE-2023-25518
The vulnerability is scored with a high CVSS base score of 7.1, indicating a severe risk level. The attack complexity is rated as high, with a physical attack vector. The impacts include high availability, confidentiality, and integrity impacts. Despite not requiring special privileges or user interaction, the scope of this vulnerability is changed.
Vulnerability Description
The vulnerability in CBoot of NVIDIA Jetson devices allows unauthorized memory access, potentially leading to severe consequences including data theft, system compromise, and service disruption.
Affected Systems and Versions
NVIDIA Jetson AGX Xavier series and Jetson Xavier NX products are impacted by this vulnerability. Specifically, all versions prior to 32.7.4 are susceptible to exploitation.
Exploitation Mechanism
The vulnerability arises from the initialization of the PCIe controller without IOMMU protection in CBoot, enabling attackers with physical access to manipulate system memory, paving the way for malicious activities.
Mitigation and Prevention
It is crucial to take immediate steps to address and mitigate the CVE-2023-25518 vulnerability to enhance the security of affected NVIDIA Jetson devices.
Immediate Steps to Take
- Update to version 32.7.4 or later of the affected NVIDIA Jetson products to patch the vulnerability.
- Implement access controls and physical security measures to prevent unauthorized access to devices.
Long-Term Security Practices
- Regularly monitor for security updates and patches released by NVIDIA for their Jetson products.
- Conduct security assessments and penetration tests to identify and remediate potential vulnerabilities proactively.
Patching and Updates
NVIDIA has released version 32.7.4 as a security patch to address the CVE-2023-25518 vulnerability. Ensure timely installation of this patch to safeguard the integrity and security of NVIDIA Jetson devices.