Trusted Platform Module (TPM) 2.0 flaws could impact billions of devices

Two vulnerabilities affecting the Trusted Platform Module (TPM) 2.0 library could potentially lead to information disclosure or privilege escalation.

The Trusted Computing Group (TCG) is warning of two vulnerabilities affecting the implementations of the Trusted Platform Module (TPM) 2.0 that could potentially lead to information disclosure or privilege escalation.

The Trusted Platform Module (TPM) technology is a hardware-based solution that provides secure cryptographic functions to the operating systems on modern computers, making it resistant to tampering.

An attacker who has access to a TPM-command interface can exploit the flaws sending maliciously-crafted commands to the module.

Both vulnerabilities were reported in November 2022 by cybersecurity firm Quarkslab.

“An authenticated, local attacker could send maliciously crafted commands to a vulnerable TPM allowing access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This may lead to a crash or arbitrary code execution within the TPM.” reads the alert published by the CERT Coordination Center (CERT/CC). “Because the attacker’s payload runs within the TPM, it may be undetectable by other components of the target device.”

The first issue, tracked as CVE-2023-1017, is an out-of-bounds write. The second vulnerability, tracked as CVE-2023-1018, is described as an out-of-bounds read.

“The buffer overflows occur on the buffer passed to the ExecuteCommand() entry point (detailed in Part 4 of the spec.) CVE-2023-1017 may allow an attacker to write 2 bytes past the end of that buffer. Those 2 bytes can be written, with attacker-specified values, and therefore the impact assessment depends on what is at that memory location, which may vary across various TPM implementations & vendors.” reads the advisory. “In some implementations the two bytes in question may be unused memory (e.g. in case of certain static buffers), or it could have live data (e.g. if the buffer is on the stack.) CVE-2023-1018 may allow an attacker to read 2 bytes past the end of that buffer.”

Quarkslab researchers pointed out that the vulnerabilities could potentially affect billions of devices, including IoT devices, servers, and embedded systems.

“Two vulnerabilities found by Quarkslab in the TPM2.0 reference implementation and reported in November 2022 are now publicly revealed and could affect Billions of devices.” states Quarkslab.

“Users in high-assurance computing environments should consider using TPM Remote Attestation to detect any changes to devices and ensure their TPM is tamper proofed.” concludes the CERT Coordination Center (CERT/CC).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Trusted Platform Module)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.