Tuesday, March 7th 2023

New Vulnerabilities Found in TPM 2.0 Library That Could be a Potential Threat to Billions of Devices

A pair of new vulnerabilities has been found in the TPM 2.0 library by cybersecurity company Quarkslab, that has security experts worried, as both of the flaws have potential far reaching implications. The two vulnerabilities go under the CVE identifiers of CVE-2023-1017 and CVE-2023-1018, where the first one allows for out-of-bounds writes, whereas the second one enables out-of-bounds reads, also known as buffer overflow vulnerabilities. This in itself might not sound particularly concerning, but as both can be triggered from user-mode applications, they're a pretty big deal, as it would enable malicious commands to be sent to a TPM 2.0 module, which could in turn enable malicious software to be installed on the device with the TPM 2.0 module.

According to Quarkslab, billions of devices could be affected, as TPM 2.0 authentication modules are used in everything from servers to IoT devices and has been the main hardware-based crypto solution for almost a decade by now. The attacker using the vulnerabilities would have to know what they're doing to be able to take advantage of these two flaws in TPM 2.0, but as it relies on the TPM command interface, there's no easy way to protect against an attack, if someone has gained user access to the system in question. The Trusted Computing Group (TCG) which is in charge of the TPM standard, has already issued an errata which includes instructions on how to address the two vulnerabilities and we're like to see updates from all major hardware vendors as they see fit.
Sources: Quarkslab, via Hacker News, Trusted Computing Group (errata)
Add your own comment

33 Comments on New Vulnerabilities Found in TPM 2.0 Library That Could be a Potential Threat to Billions of Devices

#1
Assimilator
You'd expect that an organisation that's supposed to be about security would be able to write code that does bounds checking properly, but apparently not...
Posted on Reply
#2
TumbleGeorge
AssimilatorYou'd expect that an organisation that's supposed to be about security would be able to write code that does bounds checking properly, but apparently not...
Oh, it's quite obvious that they are pushing us to buy motherboards and other devices with updated versions of hardware TPM chips. There are no random things, only greed.
Posted on Reply
#3
ThrashZone
Hi,
But wait onedrive to the rescue it's just a disposable devise right :laugh:
Posted on Reply
#4
lexluthermiester
TheLostSwedeA pair of new vulnerabilities have been found in the TPM 2.0 library
Gee golly darn, who saw THIS coming...
AssimilatorYou'd expect that an organisation that's supposed to be about security would be able to write code that does bounds checking properly, but apparently not...
Or perhaps proper and complete TESTING before releasing.
Posted on Reply
#5
catulitechup
I remember when M$ said TPM 2.0 for more security................and now



:)
Posted on Reply
#6
Solaris17
Super Dainty Moderator
Not bad for a decade of existing I guess. These API libraries after all have nothing to do with MS. :rolleyes:

Looks like this might get to be fixed with software though, which is nice. Better than TPM 1.2 hardware sec issue I guess.
Posted on Reply
#7
A Computer Guy
TumbleGeorgeOh, it's quite obvious that they are pushing us to buy motherboards and other devices with updated versions of hardware TPM chips. There are no random things, only greed.
It's a coincidence!
Posted on Reply
#8
JAB Creations
Gee, Microsoft who is basically married to the criminal organization masquerading as a "government" pushing TPM 2.0 as a "requirement" for Windows 11 and the device is found to have vulnerabilities?!

Posted on Reply
#9
sLowEnd
lexluthermiesterGee golly darn, who saw THIS coming...


Or perhaps proper and complete TESTING before releasing.
lol who tests any software or hardware these days? The name of the game is to get a minimum viable product out and maybe patch it later but not really, go buy our new product instead
Posted on Reply
#11
qlum
The misunderstanding about TPM is that people think it's about protecting them.
It exists to protect the system against it's users. This could be Microsoft using it as a form of tamper protection, or it could be a corporation protecting it's laptops.
End of the day, it is not really meant to protect the user, nor will it ever be effective for that.
Posted on Reply
#12
Wirko
The S in TPM stands for ... aaah-hemm.
Posted on Reply
#13
A Computer Guy
Can't wait until TPM with 2FA becomes a thing. :laugh:
Posted on Reply
#14
johnspack
Here For Good!
This is why MS wants us to have TPM 2.0? For Win11? Okay. Hmmmm.....
Posted on Reply
#15
AsRock
TPU addict
johnspackThis is why MS wants us to have TPM 2.0? For Win11? Okay. Hmmmm.....
No, MS want you to have it so there is a bigger chance of you needing a new PC. there be a few software fiixes that possibly break stuff then a newer TPM like 2.1 or 3.0 which requires a new OS ha.
Posted on Reply
#16
lexluthermiester
AsRockNo, MS want you to have it so there is a bigger chance of you needing a new PC. there be a few software fiixes that possibly break stuff then a newer TPM like 2.1 or 3.0 which requires a new OS ha.
Regardless of what microsoft claims, there is no good reason for TPM in consumer level PC's. TPM does not help the average PC user in any way. It has the potential to cause serious problems.

So the requirement of TPM is absurd. The only motivation is selling PC's to keep the PC market from collapsing, which was a very real possibility and to some degree still is. The Covid Pandemic has had a number of disruptive effects. While I despise them doing this and how they did it, the reason can be understood, even if it is despicable. There are better ways to do motivate PC sales and upgrades. The boneheads at microsoft simply didn't use their brains for anything more that a seat cushion(looking at you microsoft board of directors).
Posted on Reply
#17
LabRat 891
This is just perfect for a Microsoft Sam 'ROFLcopter'

Literally, things were more secure when there was no security in-built and whoever deployed the kit, actually had to know what they were doing...
Posted on Reply
#18
hat
Enthusiast
"if someone has gained user access" so yet another weird exploit that can screw you when you're already screwed. It's like saying a thief who has stolen your car may be able to start your engine.
Posted on Reply
#19
P4-630
So physical local access is needed?
Posted on Reply
#20
LabRat 891
P4-630So physical local access is needed?
At least from the terms used, no. "User Access" could include a compromised account profile or phished/social engineered credentials.
I still tend to agree w/ hat. If you're already pwned, there's not much stopping full access. However, I could see these kinds of security exploits used to somehow 'get around' User-permissions limitations.

Basically, IMO as a pedestrian home user/enthusiast: This is of little concern.
However, for companies that spent $$$$$$+ on 'highly secure, new msft-approved equipment' might:
A. have something to worry about
B. be miffed as all hell.
Posted on Reply
#21
VolutedJoker
No lie, I literally updated to TPM 2.0 last night just to get the free upgrade to Windows 11. SMH
Posted on Reply
#22
A Computer Guy
What about AMD CPU based TPM? No problems there or is that an entirely different beast?
Posted on Reply
#23
LabRat 891
A Computer GuyWhat about AMD CPU based TPM? No problems there or is that an entirely different beast?
According to the article, it's the whole library/spec.
Posted on Reply
#24
lexluthermiester
P4-630So physical local access is needed?
Maybe.
VolutedJokerNo lie, I literally updated to TPM 2.0 last night just to get the free upgrade to Windows 11. SMH
You should have just used a bypass and used 11 anyway. The requirements are just microsoft BS anyway.
Posted on Reply
#25
R-T-B
qlumThe misunderstanding about TPM is that people think it's about protecting them.
It exists to protect the system against it's users. This could be Microsoft using it as a form of tamper protection, or it could be a corporation protecting it's laptops.
End of the day, it is not really meant to protect the user, nor will it ever be effective for that.
It can be used both ways. Yes it can theoretically store DRM keys. I'm surprised by how little this is done however.

Lots of misunderstandings in this thread, don't even know where to begin...
Posted on Reply
Add your own comment
Dec 19th, 2024 04:13 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts