Trusted Platform Module (TPM) 2.0 has been affected with vulnerabilities that could lead to information disclosure or escalation of privilege.
The bugs are being identified in the Revisions 1.59, 1.38 and 1.16 of the module’s reference implementation code.
The disclosed flaws occurred when handling malicious TPM 2.0 commands with encrypted parameters. Both are in the `CryptParameterDecryption` function, which is defined in the TCG document.
- The first of the vulnerabilities is tracked as CVE-2023-1018 is an out-of-bound read bug,
- The second is tracked as CVE-2023- 1017 is defined as an out-of-bounds write.
These vulnerabilities can be triggered from user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation. Additional instances may be identified because of the TPM Work Group ongoing analysis and may result in a larger scope of potential vulnerabilities.
According to the CERT advisory, the flaws would enable read-only access to sensitive data or overwriting of protected data only available to the TPM, such as cryptographic keys. Before the public disclosure, TCG updated their Errata for TPM2.0 Library Specification with guidelines on how to remediate the flaws.
Updating the firmware of TPM chips is necessary, and this can be done through an OS vendor or the OEM. In some cases, the OEM may require resetting the TPM to its original factory default values as part of the update process.
The bugs were discovered by researchers at Quarks Lab and later the company concluded a coordinated disclosure process with the CERT Coordination Center and Trusted Computing Group.