1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • This new TPM 2.0 security flaw could spell big trouble for "billi

    From TechnologyDaily@1337:1/100 to All on Mon Mar 6 15:00:04 2023
    This new TPM 2.0 security flaw could spell big trouble for "billions" of devices

    Date:
    Mon, 06 Mar 2023 14:41:18 +0000

    Description:
    "Billions" of devices could be in trouble due to two flaws found in the TPM 2.0 chip.

    FULL STORY ======================================================================

    Cybersecurity researchers from Quarkslab have discovered two vulnerabilities in the Trusted Platform Module (TPM) 2.0, which could spell major trouble for billions of devices.

    TPM 2.0 is a chip that PC manufacturers have been adding to the motherboards since mid-2016. The technology, as Microsoft explains, is designed to provide security-related functions. The chip helps generate, store, and limit the use of cryptographic keys.

    Many TPMs, the company further explains, include physical security mechanisms to make them tamper-resistant. TPM 2.0 flaw

    Now, researchers Francisco Falcon and Ivan Arce discovered out-of-bounds read (CVE-2023-1017) and out-of-bounds write (CVE-2023-1018) vulnerabilities,
    which could allow threat actors to escalate privileges and steal sensitive data from vulnerable endpoints . The impact of the flaws could differ from vendor to vendor, BleepingComputer said. Read more

    Check out the best malware protecetions right now


    How to upgrade to Windows 11 without TPM 2.0


    How to enable TPM 2.0 for Windows 11

    The CERT Coordination Center published an alert about the flaws, and claims
    to have been notifying vendors for months, however only a handful of entities have confirmed they are impacted.

    "An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and trigger these
    vulnerabilities," warned CERT. This allows either read-only access to sensitive data or overwriting of normally protected data that is only available to the TPM (e.g., cryptographic keys)."

    Organizations worried about these flaws should move to one of these fixed versions:

    TMP 2.0 v1.59 Errata version 1.4 or higher

    TMP 2.0 v1.38 Errata version 1.13 or higher

    TMP 2.0 v1.16 Errata version 1.6 or higher

    Apparently, Lenovo is the only major OEM to have already issued a security advisory about these flaws, with others hopefully set to follow suit soon.

    To abuse the flaw, a threat actor would need to have authenticated access to
    a device. However, any malware already running on the endpoin t would have that prerequisite, the researchers warned. These are the best firewalls right now

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/this-new-tpm-20-security-flaw-could-spell-big-t rouble-for-billions-of-devices


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)