CVE-2023-1017 - Out-of-Bounds Write Vulnerability in TPM2. Module Library Leading to Potential Denial of Service and Arbitrary Code Execution
A newly discovered vulnerability, assigned as CVE-2023-1017, exists in the TPM2. (Trusted Platform Module) Module Library, which can potentially lead to denial of service and/or arbitrary code execution in the TPM context. This vulnerability is due to an out-of-bounds write issue, occurring in the CryptParameterDecryption routine of the TPM2. software stack.
In this post, we will examine the details of this vulnerability, explain how it can be exploited, and provide some code snippets and reference links for further understanding.
Vulnerability Details
An out-of-bounds write vulnerability has been found in the TPM2. Module Library. Specifically, the issue occurs when a 2-byte data is written past the end of a TPM2. command within the CryptParameterDecryption routine. An attacker who can exploit this vulnerability can potentially cause a denial of service (DoS) by crashing the TPM chip or process, rendering it unusable. Moreover, the attacker may also be able to execute arbitrary code within the context of the TPM.
Exploit Details
The out-of-bounds write issue occurs in the CryptParameterDecryption routine, as shown in the following code snippet:
/* Vulnerable code in CryptParameterDecryption routine */
UINT16
CryptParameterDecryption(TPM_CC command, TPMT_RSA_DECRYPT *decryptScheme,
UINT32 keyHandle, BYTE *label,
TPM2B_PUBLIC_KEY_RSA *encryptedData,
TPM2B_PRIVATE_KEY_RSA *decryptedData) {
// ...
memcpy(privateKeyData, encryptedData, encryptedDataSize);
// ...
/* Write 2-byte dataSize outside the bounds of privateKeyData */
*(UINT16 *)(privateKeyData + encryptedDataSize) = decryptedDataSize;
}
The problematic code writes a 2-byte decryptedDataSize value past the end of the privateKeyData buffer, resulting in an out-of-bounds write issue. If an attacker can successfully trigger this vulnerability, they can potentially overwrite sensitive memory regions, disrupt the normal functionality of the TPM, and execute arbitrary code within the TPM context.
Links to Original References
The vulnerability has been reported by the TPM2. maintainers and detailed information can be found in the following links:
1. Vulnerability Advisory from TPM2. Maintainers
2. TPM2. Software Stack Github Repository
Mitigation
It's essential for users to update their TPM2. software stack to the latest version, which contains a patch addressing this vulnerability. The following code snippet demonstrates the patched code within the CryptParameterDecryption routine:
/* Patched code in CryptParameterDecryption routine */
UINT16
CryptParameterDecryption(TPM_CC command, TPMT_RSA_DECRYPT *decryptScheme,
UINT32 keyHandle, BYTE *label,
TPM2B_PUBLIC_KEY_RSA *encryptedData,
TPM2B_PRIVATE_KEY_RSA *decryptedData) {
// ...
memcpy(privateKeyData, encryptedData, encryptedDataSize);
// ...
/* Bounds check before writing dataSize */
if (encryptedDataSize + sizeof(UINT16) <= sizeof(privateKeyData)) {
*(UINT16 *)(privateKeyData + encryptedDataSize) = decryptedDataSize;
} else {
return TPM_RC_SIZE;
}
}
By verifying that sufficient space exists within the privateKeyData buffer before writing the decryptedDataSize, the out-of-bounds write vulnerability is resolved.
Conclusion
The CVE-2023-1017 vulnerability in TPM2.'s Module Library highlights the importance of thorough vulnerability assessments and updating the software to the latest version. By staying informed about emerging vulnerabilities and applying necessary patches, users can significantly reduce the risk of exploitation and maintain a secure computing environment.
Timeline
Published on: 02/28/2023 19:15:00 UTC
Last modified on: 03/10/2023 02:04:00 UTC