Security News > 2023 > March > New TPM 2.0 flaws could let hackers steal cryptographic keys
TPM is a hardware-based technology that provides operating systems with tamper-resistant secure cryptographic functions.
While a TPM is required for some Windows security features, such as Measured Boot, Device Encryption, Windows Defender System Guard, Device Health Attestation, it is not required for other more commonly used features.
There are Linux tools available that allow applications and users to secure data in TPMs. The new vulnerabilities in TPM 2.0 were discovered by Quarkslab's researchers Francisco Falcon and Ivan Arce who said the flaws could impact billions of devices.
Both flaws arise from how the specification processes the parameters for some TPM commands, allowing an authenticated local attacker to exploit them by sending maliciously crafted commands to execute code within the TPM. According to the security bulletin by Trusted Computing Group, the developer of the TPM specification, this could result in information disclosure or escalation of privileges.
Lenovo is the only major OEM that has issued a security advisory about the two TPM flaws so far, warning that CVE-2023-1017 impacts some of its systems running on Nuvoton TPM 2.0 chips.
TPM is a highly-secured space that should theoretically be shielded even from malware running on the device, so the practical importance of these vulnerabilities shouldn't be ignored or downplayed.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-28 | CVE-2023-1017 | Out-of-bounds Write vulnerability in multiple products An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. | 7.8 |