Two separate vulnerabilities have been found in the Trusted Platform Module (TPM) 2.0 that could lead to information disclosure or escalation of privilege.
At a basic level, TPM is a hardware-based technology providing secure cryptographic functions to the operating systems on modern computers, making them resistant to tampering.
Affecting Revisions 1.59, 1.38 and 1.16 of the module’s reference implementation code, the flaws were first discovered by security researchers at Quarks Lab in November. Earlier this week, the company concluded a coordinated disclosure process with the CERT Coordination Center and Trusted Computing Group (TCG). The latter company is the publisher of the TPM 2.0 Library documentation.
The disclosed flaws occurred when handling malicious TPM 2.0 commands with encrypted parameters. Both of them are in the `CryptParameterDecryption` function, which is defined in the TCG document.
The first of the vulnerabilities (CVE-2023-1018) is an out-of-bound read bug, while the second one (tracked CVE-2023- 1017) is defined as an out-of-bounds write.
“These vulnerabilities can be triggered from user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation,” TCG wrote. “Additional instances may be identified because of the TPM Work Group ongoing analysis and may result in a larger scope of potential vulnerabilities.”
According to the CERT advisory, the flaws would enable read-only access to sensitive data (CVE-2023-1018) or overwriting (CVE-2023- 1017) of protected data only available to the TPM, such as cryptographic keys.
Before the public disclosure, TCG updated their Errata for TPM2.0 Library Specification with guidelines on how to remediate the flaws.
“To ensure the security of their systems, users should apply any updates provided by hardware and software manufacturers through their supply chain as soon as possible,” CERT wrote.
“Updating the firmware of TPM chips may be necessary, and this can be done through an OS vendor or the original equipment manufacturer (OEM). In some cases, the OEM may require resetting the TPM to its original factory default values as part of the update process.”
More information about hardware security is available in this piece by Infosecurity deputy editor James Coker.