Two security flaws (CVE-2023-1017 & CVE-2023-1018) found on Trusted Platform Module 2.0

The Trusted Computing Group (TCG) Trusted Platform Module (TPM) is a physical or embedded security technology (microcontroller) that resides on a computer’s motherboard or in its processor designed to ensure the integrity and confidentiality of sensitive data stored in a computer system. It is used in a wide range of applications, including secure boot, disk encryption, and secure key storage. However, two recently discovered vulnerabilities in the TPM2.0’s Module Library could compromise the security of the system.

CVE-2023-1017 is an out-of-bounds write vulnerability that exists in the CryptParameterDecryption routine. An attacker who can exploit this vulnerability can write 2 bytes past the end of the TPM2.0 command, leading to a denial of service or arbitrary code execution in the TPM context. The impact of this vulnerability depends on the contents of the memory location where the 2 bytes are written. In some cases, the memory location may be unused, while in others, it may contain live data.

CVE-2023-1018 is an out-of-bounds read vulnerability that exists in the same CryptParameterDecryption routine. An attacker who can exploit this vulnerability can read 2 bytes past the end of the TPM2.0 command, potentially accessing sensitive data stored in the TPM. The impact of this vulnerability is significant as it could compromise the confidentiality of the system’s data.

The vulnerabilities were discovered by Francisco Falcon from Quarkslab and reported to the CERT Coordination Center (CERT/CC) and subsequently reported to the TCG VRT. The root cause of both vulnerabilities is a lack of appropriate length checks in the reference code, which could result in buffer overflows. The buffer overflows occur on the buffer passed to the ExecuteCommand() entry point, as detailed in Part 4 of the specification.

The impact of these CVE-2023-1017 and CVE-2023-1018 is significant as they could allow attackers to compromise the security of the system. A successful exploit of either vulnerability could allow an attacker to gain unauthorized access to sensitive data, execute arbitrary code in the TPM context, or render the TPM chip/process unusable, resulting in a denial of service.