Nvidia rushes out ‘selfblow’ security flaw patch after researcher goes public

Nvidia has patched a security flaw affecting all Tegra devices operating on Nvidia's bootloader

Nvidia logo

Nvidia has patched a security flaw affecting all Tegra devices operating on Nvidia’s bootloader. The “Selfblow” flaw, named after the self-destructive nature of the bootloader by security researcher Triszka Balázs, was reportedly disclosed to Nvidia back in March, offering a backdoor to nefarious actors that would allow malicious code to be operated on a system unbeknownst to users.

Nvidia describes the risk posted by Selfblow as “a vulnerability in nvtboot in which the nvtboot-cpu image is loaded without the load address first being validated, which may lead to code execution, denial of service, or escalation of privileges.” This essentially means that any boot protection on a Tegra device could be rendered null and void at will.

The flaw has now been given an official identifier, CVE-2019-5680, and has been patched with L4T 32.2. But this official response wasn’t necessarily on-time or obvious within the initial release notes, according to Balázs. The researcher informed Nvidia of the issue in March, offering a lengthy June 15 disclosure date. However, after many delays to a fix, he ended up going public with the vulnerability some four months after disclosure.

Shortly thereafter, Nvidia had an official fix (via Tom’s Hardware) ready to go. Although Selfblow was left out of the release notes for the update, and the CVE identifier was also incorrect in its severity valuation. Nvidia, after a little coercion by the security scene, has since updated its summary to describe the impact more accurately.

Notably this flaw is not suspected to have any affect on the most populous Tegra device, the Nintendo Switch, despite its Tegra X1 SoC. This is due to a custom bootloader.

A mitigation is now live, and further information can be found via Nvidia’s developer portal. Those of you on Nvidia PC gaming hardware needn’t worry about these pesky updates, however.