A couple of serious security flaws have been disclosed in the Trusted Platform Module (TPM) 2.0 reference library specification that could lead to information disclosure or privilege escalation.
One of the vulnerabilities CVE-2023-1017refers to an out-of-bounds write, while the other, CVE-2023-1018, is described as an out of bounds reading. Cybersecurity company Quarkslab is credited with discovering and reporting the issues in November 2022.
“These vulnerabilities can be triggered from user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation,” the Trusted Computing Group (TCG) said in an advisory.
Large technology providers, organizations that use enterprise computers, servers, IoT devices and embedded systems that include a TPM may be affected by the flaws, Quarkslab noted, adding that they “could affect billions of devices.”
TPM is a hardware-based solution (ie, a cryptoprocessor) that is designed to provide strong cryptographic functions and physical security mechanisms to resist tampering attempts.
“The most common TPM functions are used to measure system integrity and for key creation and usage,” Microsoft says in its documentation. “During the boot process of a system, the boot code that is loaded (including firmware and operating system components) can be measured and recorded in the TPM.”
“Integrity measures can be used as evidence of how a system was started and to ensure that a TPM-based key was used only when the correct software was used to start the system.”
The TCG consortium noted that the deficiencies are a result of a lack of necessary length checks, leading to buffer overflows that could pave the way for local information disclosure or privilege escalation.
Discover the hidden dangers of third-party SaaS applications
Are you aware of the risks associated with third-party application access to your company’s SaaS applications? Join our webinar to learn about the types of permits that are issued and how to minimize risk.
RESERVE YOUR SEAT
Users are encouraged to apply updates released by TCG and other vendors to address failures and mitigate supply chain risks.
“Users in high-security computing environments should consider using remote TPM attestation to detect any changes to devices and ensure their TPM is tamper-proof,” said the CERT Coordination Center (CERT/CC) in an alert.