New Vulnerabilities Found in TPM 2.0 Library

A pair of new vulnerabilities have been found within the TPM 2.0 Library by a cybersecurity company by the name of Quarkslab. These vulnerabilities have the potential to be a threat to billions of devices

What Are the Vulnerabilities?

These vulnerabilities involve the Trusted Platform Module, TPM for short, which is, ironically, used to improve the security of your PC and securely create and store cryptographic keys, to confirm that the operating system and firmware on your device are what they’re supposed to be and haven’t been tampered with. TPM is one of the requirements for Windows 11. According to QuarksLab two vulnerabilities CVE-2023-1017 and CVE-2023-1018 have been found in TPM 2.0 which concern an out-of-bounds-write and an out-of-bounds-read. These issues require the attacker to really know what they are doing for them to take advantage of these vulnerabilities.

What’s The Solution?

The Trusted Computing Group (TCG) which is behind the TPM standard have released an errata on how to address these vulnerabilities and noted that “these shortcomings are the result of a lack of necessary length checks, resulting in buffer overflows that could pave the way for local information disclosure or escalation of privileges.” TCG recommends that vendors should apply the updates to address the flaws, which for us means that we will likely see an update from major hardware vendors to address this issue shortly.

What do you think of this? Let us know in the comments.