CVE-2023-1018 - Out-of-bounds Read Vulnerability in TPM2.'s Module Library with Potential Access to Sensitive Data

A new vulnerability, CVE-2023-1018, has been discovered which affects TPM2.'s Module Library. The vulnerability is an out-of-bounds read issue that allows a two-byte read past the end of a TPM2. command in the CryptParameterDecryption routine. An attacker who is successful in exploiting this vulnerability can potentially read or access sensitive data stored in the TPM.

What is TPM2.?

Trusted Platform Module (TPM) is a hardware-based security solution that provides a secure environment for storing cryptographic keys, passwords, and certificates. TPM2. is the latest version of the TPM specification and includes several new features and enhancements over the previous version. As a critical component in modern computing systems, TPM2. is designed to provide secure storage, measurement, and reporting of sensitive data.

Vulnerability Details

In the TPM2.'s Module Library, a specific function called CryptParameterDecryption is used to decrypt sensitive TPMS structures (such as TPM2_SENSITIVE, TPM2B_PRIVATE, and TPM2B_ID_OBJECT). The issue lies in the incorrect handling of the decryption operation that reads two bytes past the end of a TPM2. command, resulting in an out-of-bounds read.

Exploit

The following code snippet demonstrates the vulnerability by reading two bytes beyond the end of a TPM2. command:

UINT16 CryptParameterDecryption(TPM_CC commandCode, 
                                TPM2B *encrypted, 
                                TPM2B *decrypted) {
  // Other code and local variable declarations
  ...

  UINT16 bytesRead;
  bytesRead = (UINT16)TPM2B_OFFSET(encrypted->size);

  // The issue: Reading two bytes past the end of the command
  bytesRead += 2;

  // Access the sensitive data
  MemoryCopy(decrypted->buffer, encrypted->buffer + bytesRead, decrypted->size);

  // Other code and operations
  ...
  return decrypted->size;
}

Mitigation

To mitigate this vulnerability, the developers of the TPM2.'s Module Library should fix the out-of-bounds read issue by correctly calculating the bytesRead value, ensuring that only the intended range of memory is accessed during the decryption operation.

References

1. Original Advisory: CVE-2023-1018 - TPM 2. Out-of-Bounds Read Vulnerability

2. TPM 2. Specification

Conclusion

CVE-2023-1018 is a potentially critical vulnerability in TPM2.'s Module Library that allows an attacker to read or access sensitive data stored in the TPM if successfully exploited. To protect their systems, users should ensure they are using the latest version of the TPM2. Module Library with the vulnerability fixed. Additionally, always keep system software up-to-date and monitor security news for information regarding this and other vulnerabilities.

Timeline

Published on: 02/28/2023 18:15:00 UTC
Last modified on: 03/10/2023 15:04:00 UTC