Vulnerability Management, Threat Management

TPM 2.0 vulnerabilities identified

SecurityWeek reports that the Trusted Platform Module 2.0 reference library specification is being impacted by two serious security flaws, tracked as CVE-2023-1017 and CVE-2023-1018, which could be leveraged to facilitate code execution attacks. "An attacker with access to a device built with a vulnerable version of the TPM can trigger this bug by sending crafted commands to the TPM. The vulnerable TPM can thus be tricked to access data that is not part of the intended operation. As the OS relies on the TPM firmware for these functions, it may be difficult to detect or prevent such access using traditional host-based security capabilities," said an advisory from Carnegie Mellon's CERT coordination center. Immediate application of any updates from hardware and software manufacturers has been recommended. Users have also been urged to leverage TPM Remote Attestation to better secure their devices. "As these attacks involve TPM-based software, mechanisms such as user-password or PIN protection and tpm-totp do not protect against attacks leveraging the [memory corruption] vulnerabilities," the advisory added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.