If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Recently news broke that they have identified two vulnerabilities (already cataloged under CVE-2023-1017, CVE-2023-1018) in code with the reference implementation of the TPM 2.0 specification (Trusted Platform Module).
Faults detected are notable, as they lead to writing or reading data outside the bounds of the allocated buffer. An attack on crypto processor implementations using vulnerable code could result in the extraction or overwriting of information stored on the chip side, such as cryptographic keys.
An attacker with access to a TPM command interface can send maliciously crafted commands to the module and trigger these vulnerabilities. This allows read-only access to sensitive data or overwriting of normally protected data that is only available to the TPM (for example, cryptographic keys).
It is mentioned that an attacker can use the ability to overwrite data in the TPM firmware to orchestrate execution of your code in the TPM context, which, for example, can be used to implement backdoors that work on the TPM side and are not detected from the OS.
For those unfamiliar with TPM (Trusted Platform Module), you should know that this is a hardware-based solution that provides strong cryptographic functions to modern computer operating systems, making it resistant to tampering.
An authenticated local attacker could send malicious commands to a vulnerable TPM that allows access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This can cause a crash or arbitrary code execution within the TPM. Because the attacker's payload runs inside the TPM, it may not be detected by other components on the target device.
As cloud computing and virtualization have become more popular in recent years, software-based TPM implementations have also grown in popularity. The TPM can be implemented as a discrete, embedded, or firmware TPM in its hardware form. Virtual TPMs exist in hypervisor form or in a purely software-based TPM implementation, for example, swtpm.
About vulnerabilities detected, it is mentioned that these are caused by an incorrect size check of the parameters of the CryptParameterDecryption() function, which allows writing or reading two bytes out of the buffer passed to the ExecuteCommand() function and containing the TPM2.0 command. Depending on the firmware implementation, overwriting two bytes can corrupt both unused memory and data or pointers on the stack.
The vulnerability is exploited by sending commands specially designed to the TPM module (the attacker must have access to the TPM interface).
Currently, the issues have already been fixed by shipping the update versions of the TPM 2.0 specification released in January (1.59 Errata 1.4, 1.38 Errata 1.13, 1.16 Errata 1.6).
On the other hand, it is also reported that the libtpms Open Source Library, which is used to programmatically emulate TPM modules and integrate TPM support into hypervisors, it is also affected by vulnerability. Although it is also important to mention that the vulnerability was fixed in the release of libtpms 0.9.6, so for those who are on an older version, it is recommended that they update to the new version as soon as possible.
Regarding the solution to these flaws, TCG (Trusted Computing Group) has published an update to its Errata for the TPM2.0 library specification with instructions to address these vulnerabilities. To ensure the security of their systems, users should apply updates provided by hardware and software manufacturers through their supply chain as soon as possible.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.