A vulnerability in NVIDIA’s Tegra chipsets allows for the execution of custom code on locked-down devices, security researcher Kate Temkin reveals.
Dubbed Fusée Gelée, this exploit leverages a coldboot vulnerability through which an attacker could achieve full, unauthenticated arbitrary code execution from an early bootROM context via Tegra Recovery Mode (RCM), the security researcher says.
The code is executed on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, which results in the compromise of the entire root-of-trust for each processor, while also allowing for the exfiltration of secrets.
In a technical report (PDF) detailing the flaw, Temkin notes that the issue is that an attacker can control the length of a copy operation in the USB software stack inside the boot instruction rom (IROM/bootROM). Thus, through a specially crafted USB control request, the contents of an attacker-controlled buffer can be copied over the active execution stack, gaining control of BPMP.
The attacker can then abuse the execution to exfiltrate secrets and load arbitrary code onto the main CPU Complex (CCPLEX) application processors. The code would be executed at the highest possible level of privilege (as the TrustZone Secure Monitor at PL3/EL3).
Impacting the Tegra chipset, the vulnerability is independent of software stack. However, the security bug does requires physical access to the affected hardware and cannot be exploited remotely.
Fusée Gelée, the researcher explains, is the result of a coding error in the read-only bootROM found in most Tegra devices. Because the affected component cannot be patched once it has left the factory, the vulnerability will continue to impact user devices.
The vulnerability has a broad impact and the security researcher has already responsibly disclosed it to NVIDIA, and Nintendo has been alerted as well. Temkin says she hasn’t accepted a reward for the finding.
“This vulnerability is notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users,” the security researcher notes.
The vulnerability is believed to impact all Tegra SoCs released prior to the T186 / X2. Full public disclosure is planned for June 15, 2018, but other groups are believed to be in possession of an exploit, and the disclosure might happen earlier if an implementation is released.
“By minimizing the information asymmetry between the general public and exploit-holders and notifying the public, users will be able to best assess how this vulnerability impacts their personal threat models,” the researcher says.
All Nintendo Switch devices currently in users’ hands will continue to “be able to use Fusée Gelée” throughout their lives, the researcher says. Users who already own a Switch (meaning they have a current hardware revision) will get access to Atmosphère even if they install a newer firmware version, because the core vulnerability is not software dependant.
“Fusée Gelée isn’t a perfect, ‘holy grail’ exploit– though in some cases it can be pretty damned close. The different variants of Fusée Gelée will each come with their own advantages and disadvantages. We’ll work to make sure you have enough information to decide which version is right for you around when we release Fusée Gelée to the public, so you can decide how to move forward,” Temkin said.