Trusted Computing Group has reported a vulnerability in the implementation of the Trusted Platform Module (TPM) specification 2.0. The flaw, detected with standard implementation, can allow an attacker to record or read data from a dedicated buffer, including cryptographic keys. The vulnerability, identified as CVE-2023-1017 and CVE-2023-1018, arises from incorrect checking of the size of parameters of the CryptParameterDecryption() function. In the updated specification TPM 2.0, released in January, the flaw has been eliminated in Errata 1.4, 1.13, and 1.6.
Exploiting the vulnerability involves sending the TPM module specifically designed commands, thus requiring the attacker to have access to the TPM interface. The two bytes that are over-writable can damage both unused memory and data as well as signs in the stack. The risk of data tampering is therefore high for those using TPM firmware with a vulnerable code. This could lead to the implementation of backdoors that are not detected from the operating system but rather work on the TPM side.
The Trusted Computing Group also reported that Libtpms, used for software emulation of TPM modules and for the integration of TPM support into hypervisors, also contains the flaw. An attack on Libtpms could allow an attacker to escape guest systems and organize code on the host system. This vulnerability is eliminated in the release of libtpms 0.9.6.