TPM 2.0 Library Flaws Could Let Hackers Steal Sensitive Data

The Trusted Platform Module (TPM) 2.0 contains two library flaws that could allow attackers to access or overwrite sensitive data, such as cryptographic keys. TPM is a hardware-based technology that provides operating systems with tamper-resistant secure cryptographic functions.

TPM 2.0 Library Flaws Could Let Hackers Steal Sensitive Data

The new vulnerabilities in TPM 2.0 were discovered by Quarkslab’s researchers Francisco Falcon and Ivan Arce. According to them, the flaws could impact billions of devices. The vulnerabilities are tracked as CVE-2023-1017 (out-of-bounds read) and CVE-2023-1018 (out-of-bounds write).

Check Also: BEWARE! Pokemon Card Game Is Just A Clever Trap By Hackers

Both flaws arise from how the specification processes the parameters for some TPM commands. These commands allow an authenticated local attacker to exploit them by sending maliciously crafted commands to execute code within the TPM.

The developer of the TPM specification said that the flaws result in information disclosure or escalation of privileges. The buffer overflow problems concern reading or writing 2 bytes after the end of the buffer passed to the ExecuteCommand() entry point.

However, the impact of this depends on what vendors have implemented on that memory location. According to the BleepingComputer, the CERT Coordination Center has published an alert about the vulnerabilities. It has been informing vendors for months. Moreover, it is trying to raise awareness while mapping the impact.

Lenovo is the only major OEM that has issued a security advisory about the two TPM flaws. These flaws require authenticated local access to a device, it is important to remember that malware running on the device would meet that condition.

See Also: Hackers Steal the data of Activision games and employee