Vulnerabilities were discovered in the Nvidia Shield TV game console and the Intel NUC (Next Unit of Computing) compact computer.
Both vendors have issued security recommendations and updates for the affected systems.
One of the problems was found in the Nvidia Tegra SoC component, which loads the Nvidia Shield TV operating system. The bug is associated with incorrect check of the boundaries of the data in the memory buffer and its overflow. This gives an attacker the ability to elevate privileges and execute third-party code. The vulnerability is identified as CVE‑2019‑5699 and is estimated by experts at 7.6 CVSS.
The second error, recorded as CVE‑2019‑5700, received the same hazard rating. Its disadvantage lies in the way the bootloader interacts with the disk image containing the files necessary for the device to work. As the developers explained, the vulnerable component does not correctly check the header field with the version number, which can lead to a denial of service, escalation of privileges and data leakage.
The vendor did not indicate what rights an attacker should have for a successful attack, nor did he explain whether remote exploitation of vulnerabilities is possible. Both bugs are fixed in the Nvidia Shield TV 8.0.1 firmware. Users of earlier versions of the product are recommended urgently upgrade versions to the current release.
“This update addresses issues that may lead to information disclosure, denial of service, code execution, or escalation of privileges. To protect your system, download and install this software update through Settings -> About -> System update”, — said Nvidia in release.
Both vulnerabilities found in Intel NUC software rated 7.5 CVSS. Bugs require local access to the device and affect gaming computers of the NUC 8 family, as well as a number of other products.
The disadvantage of CVE-2019-14569 is related to the incorrect operation of variable address pointers, and the vulnerability CVE-2019-14570 is caused by a memory corruption problem. Both bugs can lead to unauthorized elevation of the attacker’s rights, denial of service or information leakage.
“Potential security vulnerabilities in system firmware for Intel NUC may allow escalation-of-privilege, denial-of-service and/or information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities”, — said Intel, in an advisory.
In July of this year, Nvidia patched a dangerous flaw in the Jetson TX1 developer kit. A bug that could cause denial of service, escalation of privileges or lead to the execution of malicious code affected millions of IoT devices running on the Tegra processor.