Idan aka yi amfani da su, waɗannan kurakuran na iya ba wa maharan damar samun dama ga bayanai masu mahimmanci ba tare da izini ba ko kuma gabaɗaya haifar da matsala
Kwanan nan labarai sun bayyana cewa sun gano raunin guda biyu (An riga an tsara shi a ƙarƙashin CVE-2023-1017, CVE-2023-1018) a cikin lamba tare da aiwatar da tunani Bayani na TPM2.0 (Module Dandalin Amintacce).
An gano kurakurai sananne ne, yayin da suke kaiwa ga rubutawa ko karanta bayanai a waje da iyakokin da aka keɓe. Harin aiwatar da aikin cryptoprocessor ta amfani da lambar mara ƙarfi zai iya haifar da cirewa ko sake rubuta bayanan da aka adana a gefen guntu, kamar maɓallan sirri.
Mai kai hari tare da damar yin amfani da mu'amalar umarni na TPM na iya aika umarni da aka ƙera na mugunta zuwa tsarin kuma ya jawo waɗannan raunin. Wannan yana ba da damar karanta-kawai damar samun mahimman bayanai ko sake rubuta bayanan da aka kayyade waɗanda ke samuwa ga TPM kawai (misali, maɓallan sirri).
An ambata cewa maharin na iya amfani da ikon sake rubuta bayanai a cikin TPM firmware don tsara aiwatar da lambar ku a cikin mahallin TPM, wanda, alal misali, ana iya amfani da shi don aiwatar da bayan gida waɗanda ke aiki a gefen TPM kuma ba a gano su daga OS ba.
Ga waɗanda ba su da masaniya da TPM (Trusted Platform Module), ya kamata ku sani cewa wannan tushen tushen kayan masarufi ne wanda ke ba da ayyuka masu ƙarfi masu ƙarfi ga tsarin sarrafa kwamfuta na zamani, yana mai da shi juriya ga tambari.
Ingantaccen maharin gida zai iya aika mugayen umarni zuwa TPM mai rauni wanda ke ba da damar samun bayanai masu mahimmanci. A wasu lokuta, maharin kuma na iya sake rubuta bayanan da aka kare a cikin firmware na TPM. Wannan na iya haifar da haɗari ko aiwatar da lambar sabani a cikin TPM. Saboda nauyin maharin yana gudana a cikin TPM, ƙila ba za a iya gano shi ta wasu abubuwan da ke kan na'urar da aka yi niyya ba.
Kamar yadda ƙididdiga na gajimare da haɓakawa suka zama mafi shahara a cikin 'yan shekarun nan, aiwatar da TPM na tushen software suma sun girma cikin shahara. Ana iya aiwatar da TPM azaman mai hankali, sakawa, ko firmware TPM a cikin sigar kayan aikin sa. TPMs na zahiri suna wanzu a cikin sigar hypervisor ko a cikin aiwatar da TPM na tushen software zalla, misali, swtpm.
Game da rauni gano, an ambaci cewa waɗannan suna faruwa ne ta hanyar duba girman kuskuren da ba daidai ba na sigogin aikin CryptParameterDecryption(), wanda damar rubuta ko karanta bytes biyu daga cikin ma'ajin da aka wuce zuwa aikin ExecuteCommand() kuma yana ɗauke da umarnin TPM2.0. Dangane da aiwatar da firmware, sake rubuta bytes biyu na iya lalata ƙwaƙwalwar ajiyar da ba a yi amfani da su ba da bayanai ko masu nuni a kan tari.
Ana amfani da raunin ta hanyar aika umarni musamman da aka ƙera zuwa tsarin TPM (dole ne maharin ya sami damar yin amfani da fasahar TPM).
A halin yanzu, an riga an daidaita batutuwan ta hanyar jigilar sabbin sigogin TPM 2.0 da aka fitar a cikin Janairu (1.59 Errata 1.4, 1.38 Errata 1.13, 1.16 Errata 1.6).
A gefe guda kuma, an ruwaito cewa libtpms Open Source Library, wanda ake amfani da shi don yin koyi da tsarin TPM da kuma haɗa tallafin TPM cikin masu haɓakawa, kuma rauni ya shafa. Ko da yake yana da mahimmanci a ambaci cewa an daidaita rashin lafiyar a cikin sakin libtpms 0.9.6, don haka ga waɗanda ke kan tsohuwar sigar, ana ba da shawarar cewa su sabunta zuwa sabon sigar da wuri-wuri.
Game da mafita ga waɗannan kurakuran, TCG (Ƙungiyoyin Amintattun Kwamfuta) sun buga sabuntawa ga Errata don ƙayyadaddun laburare na TPM2.0 tare da umarni don magance waɗannan raunin. Don tabbatar da tsaron tsarin su, masu amfani yakamata su yi amfani da sabuntawar da masana'antun kera kayan masarufi da software suka bayar ta hanyar isar da saƙon su da wuri-wuri.
A ƙarshe, idan kuna sha'awar ƙarin sani game da shi, zaku iya tuntuɓar cikakkun bayanai A cikin mahaɗin mai zuwa.