Security researchers at Quarkslab have identified a pair of serious security defects in the Trusted Platform Module (TPM) 2.0 reference library specification, prompting a massive cross-vendor effort to identify and patch vulnerable installations. The vulnerabilities, tracked as CVE-2023-1017 and CVE-2023-1018, provide pathways for an authenticated, local attacker to overwrite protected data in the TPM firmware and launch code execution attacks. This discovery has raised alarm bells because TPM technology is used in a variety of devices, from specialized enterprise-grade hardware to Internet of Things (IoT) appliances.
The Trusted Computing Group (TCG) responsible for maintaining the TPM spec has issued an Errata documenting the two memory corruption issues and providing mitigation guidance. Quarkslab researchers Francisco Falcon and Ivan Arce are credited with finding the bugs and leading an industry-wide coordinated vulnerability process ahead of Tuesday’s public advisory.
The two vulnerabilities exist in the way the TPM reference spec processes parameters that are part of TPM commands. An Out Of Bound (OOB) read vulnerability in the CryptParameterDecryption() routine allows an attacker to access data that is not part of the current session. It is also possible to write past the end of the current command buffer which results in memory corruption. An attacker with access to a device built with a vulnerable version of the TPM can trigger this bug by sending crafted commands to the TPM.
The CERT coordination center is urging users to apply any updates provided by hardware and software manufacturers through their supply chain as soon as possible. In high-assurance computing environments, users should consider using TPM Remote Attestation to detect any changes to devices and ensure their TPM is tamper-proof.
In conclusion, security researchers have identified two serious security flaws in the Trusted Platform Module (TPM) 2.0 reference library specification. The flaws provide pathways for an authenticated, local attacker to overwrite protected data in the TPM firmware and launch code execution attacks. The Trusted Computing Group (TCG) has issued an Errata documenting the two memory corruption issues and providing mitigation guidance. The CERT coordination center is urging users to apply any updates provided by hardware and software manufacturers through their supply chain as soon as possible. In high-assurance computing environments, users should consider using TPM Remote Attestation to detect any changes to devices and ensure their TPM is tamper-proof.
Key Points:
• Security researchers have identified two serious security flaws in the Trusted Platform Module (TPM) 2.0 reference library specification
• The flaws provide pathways for an authenticated, local attacker to overwrite protected data in the TPM firmware and launch code execution attacks
• The Trusted Computing Group (TCG) has issued an Errata documenting the two memory corruption issues and providing mitigation guidance
• The CERT coordination center is urging users to apply any updates provided by hardware and software manufacturers through their supply chain
• In high-assurance computing environments, users should consider using TPM Remote Attestation to detect any changes to devices and ensure their TPM is tamper-proof