Trusted Platform Module (TPM) 2.0 Buffer Overflow Vulnerabilities

Dataprise Defense Digest

ID: D3-2023-03-7

CVE-2023-1017 and CVE-2023-1018

Severity: TBA

Published: March, 7^th 2023

EXECUTIVE SUMMARY

Two buffer overflow vulnerabilities have been discovered in the Trusted Platform Module (TPM) 2.0 specification that could lead to attackers accessing or overwriting sensitive data such as cryptographic keys. These vulnerabilities can impact billions of devices that use TPMs, including those running on Windows 11. The vulnerabilities are tracked as CVE-2023-1017 and CVE-2023-1018. While only a few vendors have confirmed being impacted, users are advised to take necessary precautions such as limiting physical access to devices, using signed applications, and applying firmware updates as soon as possible.

IMPACT

TPM is a hardware-based technology used to provide operating systems with secure cryptographic functions. It is used to store cryptographic keys, passwords, and other critical data, making any vulnerability in its implementation a cause for concern. The newly discovered vulnerabilities in TPM 2.0 allow an authenticated local attacker to exploit them by sending maliciously crafted commands to execute code within the TPM. This could result in information disclosure or escalation of privileges, leading to unauthorized access to sensitive data. The impact of the vulnerabilities depends on what vendors have implemented on that memory location. It is important to note that these vulnerabilities require authenticated local access to a device, which could be achieved by malware running on the device.

DETAILED ANALYSIS

The buffer overflow vulnerabilities in TPM 2.0 arise from how the specification processes the parameters for some TPM commands. The flaws allow an authenticated local attacker to exploit them by sending maliciously crafted commands to execute code within the TPM. This could result in information disclosure or escalation of privileges, leading to unauthorized access to sensitive data. The Trusted Computing Group, the developer of the TPM specification, explains that the buffer overflow problems concern reading or writing 2 bytes after the end of the buffer passed to the ExecuteCommand() entry point.

The impact of the vulnerabilities depends on what vendors have implemented on that memory location. If it is unused memory, the impact may be minimal. However, if it contains live data, such as cryptographic keys, the impact could be severe.

MITIGATION STEPS

The solution for impacted vendors is to move to a fixed version of the specification, which includes TMP 2.0 v1.59 Errata version 1.4 or higher, TMP 2.0 v1.38 Errata version 1.13 or higher, or TMP 2.0 v1.16 Errata version 1.6 or higher. Lenovo is the only major OEM that has issued a security advisory about the two TPM flaws so far, warning that CVE-2023-1017 impacts some of its systems running on Nuvoton TPM 2.0 chips.

Users are recommended to take necessary precautions such as limiting physical access to their devices to trusted users, only using signed applications from reputable vendors, and applying firmware updates as soon as they become available for their devices. It is important to note that these vulnerabilities require authenticated local access to a device, which could be achieved by malware running on the device. Therefore, it is also recommended to use anti-malware software and to be vigilant against suspicious activities on devices.

SOURCES

• https://www.tomsguide.com/news/billions-of-pcs-and-other-devices-vulnerable-to-newly-discovered-tpm-20-flaws
• https://www.bleepingcomputer.com/news/security/new-tpm-20-flaws-could-let-hackers-steal-cryptographic-keys/

CONTRIBUTING AUTHORS

• Dan Mervis, Cybersecurity Analyst