A pair of vulnerabilities were discovered in the Trusted Platform Module (TPM) 2.0 reference library specification that could potentially lead to information disclosure or privilege escalation.
Trusted Platform Module is a physical or embedded security technology (microcontroller) that resides on a computer’s motherboard or in its processor. TPMs use cryptography to help securely store essential and critical information on computers to enable platform authentication. TPMs store a variety of sensitive information like user credentials, passwords, fingerprints, certificates, encryption keys, or other important consumer documentation behind a hardware barrier to keep it safe from external attacks.
Tracked as CVE-2023-1017 and CVE-2023-1018, the two discovered bugs are out-of-bounds write and out-of-bounds read issues within CryptParameterDecryption routine that could be used to execute arbitrary code on the system and read contents of the memory.
“An attacker with access to a device built with a vulnerable version of the TPM can trigger this bug by sending crafted commands to the TPM. The vulnerable TPM can thus be tricked to access data that is not part of the intended operation. As the OS relies on the TPM firmware for these functions, it may be difficult to detect or prevent such access using traditional host-based security capabilities,” researchers with CERT Coordination Center at Carnegie Mellon University explained in a security advisory.
The Trusted Computing Group (TCG) consortium noted that the security issues are the result of a lack of necessary length checks, resulting in buffer overflows that could pave the way for local information disclosure or escalation of privileges.
The impacted vendors are recommended to apply a fixed version of the specification, which includes one of the following:
-
TMP 2.0 v1.59 Errata version 1.4 or higher
-
TMP 2.0 v1.38 Errata version 1.13 or higher
-
TMP 2.0 v1.16 Errata version 1.6 or higher