Two Security Flaws in the TPM 2.0 Specs Put Cryptographic Keys at Risk

upstart writes:

In-hardware security can be defeated with just two extra bytes:

The Trusted Platform Module (TPM) secure crypto-processor became a topic for public debate in 2021 when Microsoft forced TPM 2.0 adoption as a minimum requirement for installing Windows 11. The dedicated hardware controller should provide "extra hard" security to data and cryptographic algorithms, but the official specifications are bugged.

Security researchers recently discovered a couple of flaws in the Trusted Platform Module (TPM) 2.0 reference library specification, two dangerous buffer overflow vulnerabilities that could potentially impact billions of devices. Exploiting the flaws is only possible from an authenticated local account, but a piece of malware running on an affected device could do exactly that.

The two vulnerabilities are tracked as CVE-2023-1017 and CVE-2023-1018, or as "out-of-bounds write" and "out-of-bounds read" flaws. The issue was discovered within the TPM 2.0's Module Library, which allows writing (or reading) two "extra bytes" past the end of a TPM 2.0 command in the CryptParameterDecryption routine.

By writing specifically crafted malicious commands, an attacker could exploit the vulnerabilities to crash the TPM chip making it "unusable," execute arbitrary code within TPM's protected memory or read/access sensitive data stored in the (theoretically) isolated crypto-processor.

In other words, successful exploitation of the CVE-2023-1017 and CVE-2023-1018 flaws could compromise cryptographic keys, passwords and other critical data, making security features of modern, TPM-based operating systems like Windows 11 essentially useless or broken.

Read more of this story at SoylentNews.