VU#282450: Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation
A vulnerability has been identified in the Trusted Platform Module (TPM) 2.0 reference library specification, which can be exploited by an attacker with access to a TPM command interface. The attacker can send specially crafted commands, potentially leading to unauthorized access to sensitive data or denial of service of the TPM. TPM technology provides secure cryptographic functions to operating systems on modern computing platforms. The Trusted Computing Group (TCG) maintains the TPM specifications and provides a reference implementation to assist vendor adoption. A security researcher discovered an OOB read vulnerability in the CryptHmacSign function of the reference implementation. The issue arises because the reference code did not implement appropriate consistency checks, resulting in potential out-of-bound read. An attacker can exploit this mismatch by submitting a maliciously crafted packet, resulting in an out-of-bounds read from TPM memory, which may expose sensitive data. An authenticated local attacker can send malicious commands to a vulnerable TPM interface, resulting in information disclosure or denial of service of the TPM. The TCG has released an errata update to the TPM 2.0 Library Specification and updated the reference implementations to address this vulnerability. Users are strongly encouraged to apply TPM-related firmware updates provided by their hardware or system vendors.