Black Arrow Cyber Advisory 09 March 2023 – Security Flaws in TPM 2.0 Pose Significant Risk

Executive Summary

Security Researchers at Quarkslab have identified two critical vulnerabilities (CVE-2023-1017 and CVE-2023-1018) in The Trusted Platform Module (TPM) firmware; TPMs are used by most modern PCs to make them resistant to tampering and the vulnerabilities could affect billions of devices.

What’s the risk to my business?

Successful exploitation of the vulnerabilities could lead to local information disclosure, including the ability for attackers to make the TPM unavailable leading to denial of service, read sensitive data or escalate privileges. In some cases, an attacker can overwrite protected data in the TPM and go undetected. To be able to exploit the vulnerabilities the attacker would require access to a TPM-command interface to send maliciously crafted-commands to a vulnerable TPM.

What can I do?

The Trusted Computing Group (TCG) have released an updated version of their TPM2.0 library specification: TPM 2.0 library Specifications v1.59 Errata Version 1.4. Once this update has been incorporated within Operating System and Original Equipment Manufacturer (OEM) firmware, it is recommended this updated version is installed. For the meantime, remote attestation may help identify it any changes have been made to the TPM.

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Documentation for the upgrade can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TPM-2.0-Library-Spec-v1.59-Errata-v1.4_pub.pdf

An Advisory from the Trusted Computer Group can be found here: https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf

CVE-2023-1017 can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-1017

CVE-2023-1018 can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-1018

Previous
Previous

Black Arrow Cyber Advisory 10 March 2023 – Fortinet, Cisco and Veeam Vulnerabilities Roundup

Next
Next

Black Arrow Cyber Alert 07 March 2023 – ACTION REQUIRED: New Hiatus Hacking Campaign Targets DrayTek Routers to Spy on Businesses