Tuesday, March 7th 2023
New Vulnerabilities Found in TPM 2.0 Library That Could be a Potential Threat to Billions of Devices
A pair of new vulnerabilities has been found in the TPM 2.0 library by cybersecurity company Quarkslab, that has security experts worried, as both of the flaws have potential far reaching implications. The two vulnerabilities go under the CVE identifiers of CVE-2023-1017 and CVE-2023-1018, where the first one allows for out-of-bounds writes, whereas the second one enables out-of-bounds reads, also known as buffer overflow vulnerabilities. This in itself might not sound particularly concerning, but as both can be triggered from user-mode applications, they're a pretty big deal, as it would enable malicious commands to be sent to a TPM 2.0 module, which could in turn enable malicious software to be installed on the device with the TPM 2.0 module.
According to Quarkslab, billions of devices could be affected, as TPM 2.0 authentication modules are used in everything from servers to IoT devices and has been the main hardware-based crypto solution for almost a decade by now. The attacker using the vulnerabilities would have to know what they're doing to be able to take advantage of these two flaws in TPM 2.0, but as it relies on the TPM command interface, there's no easy way to protect against an attack, if someone has gained user access to the system in question. The Trusted Computing Group (TCG) which is in charge of the TPM standard, has already issued an errata which includes instructions on how to address the two vulnerabilities and we're like to see updates from all major hardware vendors as they see fit.
Sources:
Quarkslab, via Hacker News, Trusted Computing Group (errata)
According to Quarkslab, billions of devices could be affected, as TPM 2.0 authentication modules are used in everything from servers to IoT devices and has been the main hardware-based crypto solution for almost a decade by now. The attacker using the vulnerabilities would have to know what they're doing to be able to take advantage of these two flaws in TPM 2.0, but as it relies on the TPM command interface, there's no easy way to protect against an attack, if someone has gained user access to the system in question. The Trusted Computing Group (TCG) which is in charge of the TPM standard, has already issued an errata which includes instructions on how to address the two vulnerabilities and we're like to see updates from all major hardware vendors as they see fit.
33 Comments on New Vulnerabilities Found in TPM 2.0 Library That Could be a Potential Threat to Billions of Devices
But wait onedrive to the rescue it's just a disposable devise right :laugh:
:)
Looks like this might get to be fixed with software though, which is nice. Better than TPM 1.2 hardware sec issue I guess.
It exists to protect the system against it's users. This could be Microsoft using it as a form of tamper protection, or it could be a corporation protecting it's laptops.
End of the day, it is not really meant to protect the user, nor will it ever be effective for that.
So the requirement of TPM is absurd. The only motivation is selling PC's to keep the PC market from collapsing, which was a very real possibility and to some degree still is. The Covid Pandemic has had a number of disruptive effects. While I despise them doing this and how they did it, the reason can be understood, even if it is despicable. There are better ways to do motivate PC sales and upgrades. The boneheads at microsoft simply didn't use their brains for anything more that a seat cushion(looking at you microsoft board of directors).
Literally, things were more secure when there was no security in-built and whoever deployed the kit, actually had to know what they were doing...
I still tend to agree w/ hat. If you're already pwned, there's not much stopping full access. However, I could see these kinds of security exploits used to somehow 'get around' User-permissions limitations.
Basically, IMO as a pedestrian home user/enthusiast: This is of little concern.
However, for companies that spent $$$$$$+ on 'highly secure, new msft-approved equipment' might:
A. have something to worry about
B. be miffed as all hell.
Lots of misunderstandings in this thread, don't even know where to begin...