Vulnerabilities > CVE-2021-32015 - Missing Authorization vulnerability in Nuvoton Npct75X Firmware 7.4.0.0

CVSS 6.0 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

local

low complexity

nuvoton

CWE-862

NVD

Published: 2021-06-08

Updated: 2021-06-21

Summary

In Nuvoton NPCT75x TPM 1.2 firmware 7.4.0.0, a local authenticated malicious user with high privileges could potentially gain unauthorized access to TPM non-volatile memory. NOTE: Upgrading to firmware version 7.4.0.1 will mitigate against the vulnerability, but version 7.4.0.1 is not TCG or Common Criteria (CC) certified. Nuvoton recommends that users apply the NPCT75x TPM 1.2 firmware update.

Vulnerable Configurations

Part	Description	Count
OS	Nuvoton Nuvoton Npct75X Firmware 7.4.0.0	1
Hardware	Nuvoton Nuvoton Npct75X 1.2	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://www.nuvoton.com/support/product-related-information/security-advisories/sa-001/