"New Flaws in TPM 2.0 Library Pose Threat to Billions of IoT and Enterprise Devices"

The Trusted Platform Module (TPM) 2.0 reference library specification contains two critical security flaws that could lead to information disclosure or privilege escalation. One of the vulnerabilities, tracked as CVE-2023-1017, involves an out-of-bounds write, while the other, tracked as CVE-2023-1018, is described as an out-of-bounds read. Quarkslab is credited with identifying and reporting the vulnerabilities in November 2022. According to an advisory from the Trusted Computing Group (TCG),  these vulnerabilities can be triggered from user-mode applications by sending malicious commands to a TPM 2.0 whose firmware is based on an affected TCG reference implementation. Quarkslab said that the flaws could impact billions of devices as they can affect large technology suppliers, companies using enterprise computers, servers, Internet of Things (IoT) devices, and embedded systems containing a TPM. This article continues to discuss the new flaws in TPM 2.0 library posing a threat to billions of devices. 

THN reports "New Flaws in TPM 2.0 Library Pose Threat to Billions of IoT and Enterprise Devices"