deneme bonusu
Two security flaws in the TPM 2.0 specs put cryptographic keys at risk | Insider Feeds %

Two security flaws in the TPM 2.0 specs put cryptographic keys at risk




Facepalm: The Trusted Platform Module (TPM) secure crypto-processor became a topic for public debate in 2021 when Microsoft forced TPM 2.0 adoption as a minimum requirement for installing Windows 11. The dedicated hardware controller should provide “extra hard” security to data and cryptographic algorithms, but the official specifications are bugged.

Security researchers recently discovered a couple of flaws in the Trusted Platform Module (TPM) 2.0 reference library specification, two dangerous buffer overflow vulnerabilities that could potentially impact billions of devices. Exploiting the flaws is only possible from an authenticated local account, but a piece of malware running on an affected device could do exactly that.

The two vulnerabilities are tracked as CVE-2023-1017 and CVE-2023-1018, or as “out-of-bounds write” and “out-of-bounds read” flaws. The issue was discovered within the TPM 2.0’s Module Library, which allows writing (or reading) two “extra bytes” past the end of a TPM 2.0 command in the CryptParameterDecryption routine.

Also read: We Cannot Live Without Cryptography!

By writing specifically crafted malicious commands, an attacker could exploit the vulnerabilities to crash the TPM chip making it “unusable,” execute arbitrary code within TPM’s protected memory or read/access sensitive data stored in the (theoretically) isolated crypto-processor.

In other words, successful exploitation of the CVE-2023-1017 and CVE-2023-1018 flaws could compromise cryptographic keys, passwords and other critical data, making security features of modern, TPM-based operating systems like Windows 11 essentially useless or broken.

TPM provides a hardware number generator, secure generation and storage of cryptographic keys, remote attestation with a “nearly unforgeable” hash key summary of the hardware and software configuration, and other Trusted Computing functions. On Windows 11, the TPM can be used by DRM technology, Windows Defender, BitLocker full-disk encryption and more.

According to CERT Coordination Center at Carnegie Mellon University, a successful payload exploiting the vulnerabilities could run within the TPM and be essentially “undetectable” by security software or devices. The issue is resolved by installing the most recent firmware updates available for the user’s device, but the process is easier said than done.

While the flaws could theoretically impact billions of motherboards and software products, just a few companies have confirmed that they are indeed affected by the issue thus far. Chinese company Lenovo, the world’s largest PC manufacturer, acknowledged the issue in its Nuvoton line of TPM chips. An attacker could exploit the CVE-2023-1017 flaw to cause a denial of service issue in the Nuvoton NPCT65x TPM chip, Lenovo said.


Source link

Subscribe to our magazine

━ more like this

Understanding and Excelling in the HSC Short Syllabus in Bangladesh

Introduction: The Higher Secondary Certificate (HSC) Short Syllabus in Bangladesh has been introduced to overcome academic challenges and ensure effective learning. This comprehensive guide explores...

A Detailed Exploration of SSC Exam Routine 2024 in Bangladesh

Introduction: Embarking on the academic journey, the Secondary School Certificate (SSC) exam holds paramount significance for students in Bangladesh. This comprehensive guide navigates the intricacies...

A Comprehensive Guide to PESP Finance Gov BD

Introduction: In the intricate world of financial management, PESP Finance Gov BD emerges as a key player. This comprehensive guide explores the various aspects of...

Innovative Uses for Coffee Burlap Bags in Your Garden

Demystifying Coffee Burlap Bags Before we dive into their myriad uses, let's acquaint ourselves with coffee burlap bags. Made from robust natural burlap fibers, they're...

Unlocking the Benefits of Online Shopping with Credit Cards: Why OneCard Might Be Your Best Bet?

Indians are increasingly opting for online shopping over in-store purchases, with credit card transactions online outpacing those at physical Point of Sale (PoS) locations...