Experts from Quarkslab have discovered two serious vulnerabilities in the Trusted Platform Module (TPM) 2.0 library specification. Issues could allow an authenticated local attacker to overwrite protected data in the TPM, as well as to execute an arbitrary code.
The researchers warn that these issues could affect billions of devices.Let me remind you that we also wrote that Mali GPU Driver Vulnerabilities Threaten Millions of Devices, and also that Vulnerabilities in AMI MegaRAC Controllers Threaten AMD, ARM, HPE and Dell Servers.
The vulnerabilities have received identifiers CVE-2023-1017 (out-of-bounds read) and CVE-2023-1018 (out-of-bounds write). Both problems are related to the processing of parameters for some TPM commands, and ultimately allow an attacker to exploit them by sending malicious commands to the TPM to execute code.
According to a security bulletin issued by the Trusted Computing Group, the developer of the TPM specification, these buffer overflow vulnerabilities could lead to information disclosure or privilege escalation.
The final impact of problems depends on how the manufacturer implemented the work with a particular memory area: whether it is unused or contains live data.
Quarkslab notes that large technical vendors, organizations that use corporate computers, servers, IoT devices, and embedded systems that include TPM, may be affected by these vulnerabilities. In general, according to the researchers, bugs “can affect billions of devices.”
CERT experts have already published their own warning about these vulnerabilities and report that they have been informing vendors about the bugs for several months in an attempt to raise awareness and mitigate the impact. Unfortunately, only a few organizations ended up confirming that they were affected by CVE-2023-1017 and CVE-2023-1018.
So far, Lenovo is the only major OEM to issue its own security advisory and warn that CVE-2023-1017 affects some of the company’s systems running Nuvoton TPM 2.0.
Let me also remind you that the media wrote that Vulnerability in preinstalled software allows hacking Lenovo laptops in 10 minutes.
CERT warns that the exploitation of fresh vulnerabilities allows either access to sensitive data for reading, or makes it possible to overwrite normally protected data that is accessible only to TPM (for example, cryptographic keys).
All vendors need to migrate to the corrected version of the specification:
- TMP 2.0 v1.59 Errata version 1.4 or higher;
- TMP 2.0 v1.38 Errata version 1.13 or higher;
- TMP 2.0 v1.16 Errata version 1.6 or higher.
Users are encouraged to apply updates released by the Trusted Computing Group and other vendors as soon as possible.
In highly trusted computing environments, users are also advised to consider using TPM Remote Attestation to detect any changes and ensure that the TPM is not tampered with.
