Hacking Nvidia Shield TV Hit With High-Severity Security Flaws - Possible New Entry Points?

mattyxarope

Well-Known Member
OP
Member
Joined
Jan 15, 2019
Messages
540
Trophies
0
XP
1,840
Country
United States
So NVIDIA detailed two new exploits for the bootloader of the NVIDIA Shield TV:

CVE‑2019‑5699
NVIDIA Tegra bootloader contains a vulnerability where the software performs an incorrect bounds check, which may lead to buffer overflow resulting in escalation of privileges and code execution.

and

CVE‑2019‑5700
NVIDIA Tegra software contains a vulnerability in the bootloader, where it does not validate the fields of the boot image, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.

"The first flaw (CVE‑2019‑5699) stems from the bootloader in the Nvidia Tegra SoC of Nvidia Shield TV. This is the piece of code that runs before an operating systems starts to run, and loads the operating system when a computer turns on. The issue is due to the software performing an incorrect bounds check. Bounds checking is a method of detecting whether a variable is within “bounds” before it is used in the memory buffer, which is a region of a physical memory storage. This flaw can lead to a buffer overflow; when more data is sent to a memory block (buffer) than it can hold. Attackers could leverage this flaw to launch escalation-of-privilege and code-execution attacks.

The other flaw (CVE‑2019‑5700) exists in how the bootloader interacts with the boot image, a type of disk image that provides critical files necessary to load the device. The boot image typically contains a field that indicates a header version; the bootloader must check this header version field and parse the header accordingly. However, according to Nvidia, the bootloader in the vulnerable versions does not correctly validate the fields of the boot image. This glitch can lead to code execution, denial-of-service, escalation-of-privilege and information disclosure."

https://nvidia.custhelp.com/app/answers/detail/a_id/4875

Would these be applicable to the bootloader of the Switch?
 
Last edited by mattyxarope,

linuxares

I'm not a generous god!
Global Moderator
Joined
Aug 5, 2007
Messages
9,828
Trophies
1
XP
11,932
Country
Sweden
Yeah the first exploit if it's possible on the Switches is definitely a coldboot possibility, if it's the same on the Switch, CVE‑2019‑5700 however sounds like the RCM bug no?

EDIT: What I get it seems that they are both software patchable. So we should not update if Nintendo magically release a new firmware update the next couple of weeks if these are exploitable.
 
Last edited by linuxares,

Ericthegreat

Not New Member
Member
Joined
Nov 8, 2008
Messages
3,432
Trophies
1
Location
Vana'diel
XP
3,751
Country
United States
I didn't think about this when I read about the security issue, interesting, if someone doesn't say somthing soon, Nintendo will patch it, and everyone will update.
 

linuxares

I'm not a generous god!
Global Moderator
Joined
Aug 5, 2007
Messages
9,828
Trophies
1
XP
11,932
Country
Sweden
If people are curious (like I was) this doesn't seem to be the previously found selfblow exploit, as that one has a similar but different CVE
selfblow? I haven't heard about that one before either. Since it's software patchable it sounds like it's something with the Android system no?
 

kevin corms

Well-Known Member
Member
Joined
Feb 21, 2015
Messages
935
Trophies
0
Age
38
XP
1,429
Country
Canada
Well on the other hand, the fact that it runs android means it isnt very secure in the first place. Its a great device for what it is, but I wouldnt trust my bank info or anything on it.
 
Last edited by kevin corms,
  • Like
Reactions: andyhappypants

linuxares

I'm not a generous god!
Global Moderator
Joined
Aug 5, 2007
Messages
9,828
Trophies
1
XP
11,932
Country
Sweden
Well on the other hand, the fact that it runs android means it isnt very secure in the first place. Its a great device for what it is, but I wouldnt trust my bank info or anything on it.
No real electronic is "secure". It's just safe until someone really wanna get in.
 

kevin corms

Well-Known Member
Member
Joined
Feb 21, 2015
Messages
935
Trophies
0
Age
38
XP
1,429
Country
Canada
No real electronic is "secure". It's just safe until someone really wanna get in.
There are variable levels of security, but yes nothing is perfect. I dont get this argument that seems to come straight from google, people are basically saying since any security can be theoretically defeated that security is just a waste of time? That kind of logic just doesnt fly with me, sorry.
 
Last edited by kevin corms,
General chit-chat
Help Users
  • No one is chatting at the moment.
    Psionic Roshambo @ Psionic Roshambo: So it looks like Florida is going to get pounded by Ian lol