Trusted Platform Module (TPM) 2.0 flaws could impact billions of devices

Two vulnerabilities affecting the Trusted Platform Module (TPM) 2.0 library could potentially lead to information disclosure or privilege escalation.

The Trusted Computing Group (TCG) is warning of two vulnerabilities affecting the implementations of the Trusted Platform Module (TPM) 2.0 that could potentially lead to information disclosure or privilege escalation.

The Trusted Platform Module (TPM) technology is a hardware-based solution that provides secure cryptographic functions to the operating systems on modern computers, making it resistant to tampering.

An attacker who has access to a TPM-command interface can exploit the flaws sending maliciously-crafted commands to the module.

Both vulnerabilities were reported in November 2022 by cybersecurity firm Quarkslab.

“An authenticated, local attacker could send maliciously crafted commands to a vulnerable TPM allowing access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This may lead to a crash or arbitrary code execution within the TPM.” reads the alert published by the CERT Coordination Center (CERT/CC). “Because the attacker’s payload runs within the TPM, it may be undetectable by other components of the target device.”

The first issue, tracked as CVE-2023-1017, is an out-of-bounds write. The second vulnerability, tracked as CVE-2023-1018, is described as an out-of-bounds read.

“The buffer overflows occur on the buffer passed to the ExecuteCommand() entry point (detailed in Part 4 of the spec.) CVE-2023-1017 may allow an attacker to write 2 bytes past the end of that buffer. Those 2 bytes can be written, with attacker-specified values, and therefore the impact assessment depends on what is at that memory location, which may vary across various TPM implementations & vendors.” reads the advisory. “In some implementations the two bytes in question may be unused memory (e.g. in case of certain static buffers), or it could have live data (e.g. if the buffer is on the stack.) CVE-2023-1018 may allow an attacker to read 2 bytes past the end of that buffer.”

Quarkslab researchers pointed out that the vulnerabilities could potentially affect billions of devices, including IoT devices, servers, and embedded systems.

“Two vulnerabilities found by Quarkslab in the TPM2.0 reference implementation and reported in November 2022 are now publicly revealed and could affect Billions of devices.” states Quarkslab.

“Users in high-assurance computing environments should consider using TPM Remote Attestation to detect any changes to devices and ensure their TPM is tamper proofed.” concludes the CERT Coordination Center (CERT/CC).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Trusted Platform Module)