Two buffer overflow vulnerabilities have been discovered in the Trusted Platform Module (TPM) 2.0 specification, which could give cybercriminals unauthorized access to or the ability to overwrite sensitive data such as cryptographic keys.
TPM is a hardware-based technology that offers secure cryptographic functions to operating systems. It is commonly used to store passwords, cryptographic keys, and other crucial data. As a result, any vulnerability in its implementation poses a significant security risk.
While a TPM is necessary for certain Windows security features like Measured Boot, Device Encryption, Windows Defender System Guard (DRTM), and Device Health Attestation, it is not mandatory for other commonly used features.
However, if a Trusted Platform Module is present, it provides an additional layer of security to protect sensitive information and encrypt data for Windows security features.
The TPM 2.0 specification gained widespread attention and controversy when Microsoft made it a requirement for running Windows 11. This was due to its ability to provide necessary boot security measures and guarantee reliable authentication with Windows Hello face recognition.
While Linux also supports TPMs, there are no mandatory requirements for the operating system to use the module. Nonetheless, Linux tools are available for users and applications to secure their data in TPMs.
The TPM 2.0 exploit
Researchers from Quarkslab, Francisco Falcon, and Ivan Arce have discovered new vulnerabilities in TPM 2.0 that could potentially affect billions of devices. The two vulnerabilities are known as CVE-2023-1017 (out-of-bounds read) and CVE-2023-1018 (out-of-bounds write).
The vulnerabilities arise due to how the TPM specification processes parameters for certain commands, which allows authenticated local attackers to exploit them by sending maliciously crafted commands to execute code within the TPM.
The Trusted Computing Group (TCG), the developer of the TPM specification, has issued a security bulletin warning that this could result in information disclosure or escalation of privileges.
According to TCG, the buffer overflow problems relate to reading or writing two bytes beyond the end of the buffer passed to the ExecuteCommand() entry point. The impact of this depends on the memory location and whether it contains live data or not.
The CERT Coordination Center has been alerting vendors about these vulnerabilities for months, but only a few have confirmed that they are affected. CERT warns that an attacker who has access to a TPM-command interface can send maliciously crafted commands to the module and trigger these vulnerabilities, leading to read-only access to sensitive data or overwriting of normally protected data like cryptographic keys.
Vendors who are impacted by these vulnerabilities should move to a fixed version of the specification, which includes:
- TMP 2.0 v1.59 Errata version 1.4 or higher
- TMP 2.0 v1.38 Errata version 1.13 or higher
- TMP 2.0 v1.16 Errata version 1.6 or higher
Lenovo is the only major OEM that has issued a security advisory about the two TPM flaws so far, warning that CVE-2023-1017 impacts some of its systems running on Nuvoton TPM 2.0 chips.
While these vulnerabilities require authenticated local access to a device, it’s important to remember that malware running on the device would meet that condition. TPM is supposed to be a highly secured space, even from malware running on the device, so the practical importance of these vulnerabilities should not be downplayed.
Users are advised to limit physical access to their devices to trusted users, use only signed applications from reputable vendors, and apply firmware updates as soon as they become available for their devices.