NVIDIA patched a high-severity vulnerability affecting its Jetson series computing boards that could enable denial of service (DoS), code execution and privilege escalation in AI-powered systems.
In an advisory published Wednesday, NVIDIA disclosed a flaw in the Jetson Linux component of its JetPack software development kit (SDK), which powers its Jetson devices including the NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, Jetson TX1, Jetson TX2 Series and Jeston Nano.
The fixed version, Jetson Linux 32.7.5, resolves the vulnerability tracked as CVE-2024-0108, which has a high CVSS score of 8.7. CVE-2024-0108 affects all versions of Jetson Linux prior to and including 32.7.4.
The flaw exists in the NvGPU component of Jetson Linux and involves failure of the error handling paths of the GPU memory management unit code to clean up after a failed mapping attempt. This lack of cleanup can lead to errors and instability that could be leveraged by attackers to trigger DoS, execute code or escalate privileges on the affected system.
NVIDIA Jetson series devices are used in a wide range of AI and robotics applications, including manufacturing, healthcare, agriculture, transportation, smart cities and more. For example, the NVIDIA Jetson Xavier NX powers machine vision systems for vehicles and medical devices, and the compact NVIDIA Jetson Nano enables AI capabilities in small internet-of-things (IoT) devices.
Earlier this year, NVIDIA also patched three security vulnerabilities in its new ChatRTX demo app, which enables custom training of large-language models (LLMs) that can be run locally on a user’s device.
Other NVIDIA vulnerabilities pose risk to networking, data center solutions
An additional NVIDIA security bulletin published Wednesday disclosed two vulnerabilities affecting its Mellanox OS, ONYX, Skyway and MetroX-3 network management and data processing solutions, which are used in high-performance computing (HPC), data center and cloud applications.
The first vulnerability, tracked as CVE-2024-0101, has a high CVSS score of 7.5 and could lead to DoS conditions. This flaw exists in the ipfilter component, potentially enabling an attacker to trigger a DoS of network switch operations by exploiting improper ipfilter definitions.
The other bug, tracked as CVE-2024-0104, is of medium severity and can cause improper access leading to information disclosure, data tampering and escalation of privileges. This flaw specifically impacts the Lightweight Directory Access Protocol (LDAP) Authentication, Authorization, and Accounting (AAA) component in the affected products.
These flaws affect all versions of the products prior to the fixed versions; a full list of updated version is included in the bulletin.
