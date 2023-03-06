A number of have been reported serious flaws of security in the Trusted Platform Module reference library specification (TPM extension) 2.0 that could lead to disclosure of information or escalation of privileges.

One of the vulnerabilities, CVE-2023-1017, is an out-of-bounds write, while the other, CVE-2023-1018, is described as an out-of-bounds read. The cybersecurity firm Quarkslab discovered and reported the issues in November 2022.

What are the problems of TPM 2.0, or rather, of its libraries?

“These vulnerabilities can be triggered by user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation“, has said the Trusted Computing Group (TCG) in its report.

Various technology giants (Microsoft, Google, Apple, etc), organizations that use corporate computers, servers, IoT devices and embedded systems that include a TPM can be affected by the breaches, has highlighted Quarkslab, adding that “could affect billions of devices“.

TPM is a hardware-based solution (i.e. a crypto-processor) designed to provide secure cryptographic functions and physical security mechanisms to resist tampering efforts.

“The most common TPM functions are used for system health measurements and for the creation and use of keys“, he claims Microsoft in its documentation. “During the boot process of a system, boot code loaded (including firmware and operating system components) can be measured and recorded in the TPM“.

Microsoft later adds regarding TPM 2.0 (and TPMs in general): “Integrity measurements can be used as evidence of how well a system booted and to ensure that a TPM-based key was only used when the correct software was used to boot the system“.

The TCG consortium, the “father” of TPM 2.0 (and previous TPMs) noted that the shortcomings are the result of a lack of necessary length controls, resulting in buffer overflows that could pave the way for local disclosure of information or a set of privileges.

Users are advised to apply updates issued by TCG and other suppliers to address gaps and mitigate risk in the supply chain.

“Users [che lavorano] in high-availability computing environments they should consider using TPM Remote Attestation to detect any changes to devices and ensure their TPM is protected from tampering“, has said the CERT Coordination Center (CERT/CC) in a notice.

A couple of thoughts on TPM 2.0

The TPM (and TPM 2.0 accordingly) is a piece of hardware designed to provide secure cryptographic functions and mechanisms physical security to resist tampering; the vulnerabilities were caused by lack of controls that should be needed, resulting in buffer overflow which could pave the way for local disclosure of information or escalation of privileges.

The advice given to users is to apply updates released by TCG and other vendors to address gaps and mitigate risk in the supply chain. Users in high-availability computing environments should consider using TPM Remote Attestation to detect any changes to devices and ensure that their TPM is protected from tampering.

In summary, this news highlights the importance of keeping the systems and devices you work with constantly updated.

Can the TPM 2.0 Libraries Talk affect Windows 11 as it is a prerequisite?

It is likely that it may also affect Windows 11 since it requires TPM 2.0, as most modern devices use it to ensure the security of cryptographic functions and security mechanisms; however, there is still no official information on how these vulnerabilities could affect Windows 11.