Game News

Nvidia finally patch up Selfblow exploit but don't mention finder

Published: 13:27, 22 July 2019
Updated: 10:45, 02 October 2019
Nvidia company logo

Nvidia have recently patched up a security flaw affecting Tegra devices but it took Jensen and Co five months to come up with a fix - more than a month past the public disclosure deadline. And it took exactly that to make them take notice.

Security researcher Triszka Balazs, who goes by the handle Balika011 on GitHub, informed Nvidia of the Selfblow flaw in March 2019, but the green team haven't exactly been the quickest to respond, especially considering the potential severity of the flaw.

It doesn't take a rocket scientist to see what Balazs referred to when he came up with the name, as he wrote that nvtboot practically blows a hole in itself.

"This is an untethered coldboot exploit and as far as i can tell it affects every single Tegra device released so far. (Except the Nintendo Switch since it uses a custom bootloader.) Completely defeats secure boot even on latest firmware", he wrote.

Selfblow's existence was reported to Nvidia on 09 March 2019, with a public disclosure date set for 15 June. Considering that 90 days is a standard, there's no doubt that was more than enough to address a security exploit of such magnitude. 

Unfortunately, Balazs realised that Nvidia didn't seem to be taking Selfblow seriously, with multiple promises of a fix eventually being delayed to the end of July.

"They did not even assigned (sic) a CVE Identifier. After 4 months I decided to give this to the public in good faith that will encourage them in fixing it so we can have a better, more secure devices.

All this eventually prompted Balazs to go public with the exploit, which finally made Nvidia listen and they soon had a fix.

Peculiarly enough, not only did 18 July's Nvidia L4T 32.2 release notes not mention Selfblow, they also don't mention the finder.

Nvidia Nvidia company logo Nvidia

Balazs said that the July 2019 Security Bulletin listed a CVE identifier as CVE-2019-5680, but he argues the 7.7 score should have been 8.1, as the exploit does not require user interaction.

You can find Balazs' post on . Thanks .

Related Topics
Latest Articles
Most Popular