Two buffer overflow flaws in the Trusted Platform Module (TPM) 2.0 specification could let attackers access or replace sensitive data, like cryptographic keys. TPM is a hardware-based solution that offers tamper-resistant operating systems and secure cryptographic services.
It can be used to store passwords, cryptographic keys, and other important data, so any implementation flaws should be taken seriously. A TPM is necessary for some Windows security features, including Measured Boot, Device Encryption, Windows Defender System Guard (DRTM), and Device Health Attestation, but not for other more widely used functions.
Yet, Windows security features receive improved protection in protecting and encrypting sensitive data when a Trusted Platform Module is available. This is due to its needed boot security features and assurance that Windows Hello facial recognition enables trustworthy authentication.
The TPM 2.0 specification garnered prominence (and controversy) when Microsoft made it a prerequisite for running Windows 11. Linux also supports TPMs, although there are no restrictions on how to use the module. On the other hand, Linux tools enable users and applications to secure data in TPMs.
Researchers Francisco Falcon and Ivan Arce from Quarkslab warned the holes might affect billions of devices when they announced they found additional vulnerabilities in TPM 2.0. Out-of-bounds read, and CVE-2023-1018 are the vulnerabilities’ tracking numbers (out-of-bounds write).
The TPM 2.0 Security Flaws
These issues are caused by how the specification handles the parameters for some TPM instructions. They can both be exploited by an authenticated local attacker by sending maliciously constructed commands to the TPM to execute code there.
This could lead to the leakage of information or the escalation of privileges, according to the security bulletin issued by the Trusted Computing Group (TCG). This company created the TPM specification.
According to the Trusted Computing Group, reading or writing the next two bytes after the buffer’s end is given to the ExecuteCommand() entry point causes buffer overflow issues. The effect of this relies on what the vendors have implemented in that memory address, i.e., whether it contains live data or is empty memory.
In an effort to spread awareness while assessing the consequences, the CERT Coordination Center has been informing suppliers and publishing alerts about the vulnerabilities for months. Regrettably, very few organizations have acknowledged being impacted.
The CERT said an attacker could exploit the module with access to a TPM-command interface by sending specially designed commands.
This enables either read-only access to sensitive data that is only accessible to the TPM or overwriting of usually protected data that is only accessible to the TPM (such as cryptographic keys).
Moving to a fixed version of the specification that contains one of the following is the remedy for impacted vendors:
- TMP 2.0 v1.59 Version 1.4 or later of the errata.
- Errata version 1.13 or higher for TMP 2.0.
- TMP 2.0 v1.16 Version 1.6 or later of the errata
Lenovo is the only significant OEM to have warned about CVE-2023-1017 affecting some of its systems using Nuvoton TPM 2.0 chips in a security advisory about the two TPM problems to date.
Keep in mind that malware on the device would satisfy the requirement even though these weaknesses call for authenticated local access to a device.
The practical significance of these vulnerabilities shouldn’t be overlooked or minimized because TPM is a highly secure area that should be protected even from malware that is running on the device.
Users are advised to use only signed programs from reliable suppliers, restrict physical access to their devices to trusted individuals, and update the firmware on their devices as soon as it becomes available.
Conclusion
The Trusted Platform Module (TPM) 2.0 has two different vulnerabilities that could result in data exposure or privilege escalation. TPM, in its most basic form, is a hardware-based technology that offers safe cryptographic services to the operating systems of modern computers, making them impervious to hacking. The vulnerabilities affecting Revisions 1.59, 1.38, and 1.16 of the module’s standard implementation code were initially found by security researchers at Quarks Lab in November.
The business finished a coordinated disclosure process with the CERT Coordination Center and Trusted Computing Group earlier this week (TCG). The latter business publishes the TPM 2.0 Library material. The vulnerabilities were discovered in the way malicious TPM 2.0 instructions with encrypted parameters were handled. Both of these are found in the TCG document’s “CryptParameterDecryption” function. Out-of-bound read bugs are the first vulnerability (CVE-2023-1018), while out-of-bounds write bugs are the second (CVE-2023-1017).
