Buffer Overflow Flaws in Trusted Platform Modules Allow Malicious Commands - #CVE-2023-1017
Two vulnerabilities, CVE-2023-1017 and CVE-2023-1018, were discovered in the Trusted Platform Module (TPM) 2.0 reference implementation code that could allow attackers to gain elevated privileges and access sensitive data. The vulnerabilities arise from how the specification processes the parameters for some TPM commands, allowing an authenticated local attacker to exploit them by sending maliciously crafted commands to execute code within the TPM. The Trusted Computing Group has released an update to their Errata for TPM2.0 Library Specification with instructions for patching the vulnerabilities, and users must apply the relevant hardware and software security updates to receive the patches. Large tech vendors, organizations using enterprise computers, servers, IoT devices, and embedded systems that include a TPM can be impacted by the flaws.