Nuvoton TPM Denial of Service Vulnerability

Nuvoton TPM Denial of Service Vulnerability

Nuvoton TPM Denial of Service Vulnerability

Lenovo Security Advisory: LEN-118320

Potential Impact: Denial of Service 

Severity: High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2023-1017

 

Summary Description:

An out-of-bounds write vulnerability exists in TPM2.0's Module Library. An attacker who can successfully exploit this vulnerability can lead to denial of service in Nuvoton Trusted Platform Module (TPM) NPCT65x.  The attack does not succeed in writing to or corrupting the TPM but does cause it to become inaccessible as it enters a recoverable protection mode intended to safeguard the TPM and its contents.

Lenovo servers listed in the product table below contain Nuvoton’s NPCT65X and are vulnerable to CVE-2023-1017, if configured in TPM 2.0 mode (only). Attacks can trigger the TPM to enter a protected state, which is recoverable with an AC power cycle (hard reset).

Products in TPM 1.2 mode or with Nuvoton’s NPCT7XX TPM are not vulnerable to CVE-2023-1017. Many Lenovo servers listed in the product impact tables below were shipped with TPM 1.2 mode set as default and would have required manual interaction from a customer to toggle to TPM 2.0 mode. See below for additional information on default TPM mode version.

Lenovo servers are not vulnerable to CVE-2023-1018.

Lenovo is working with Nuvoton on a TPM firmware update to address this issue.  Interim mitigations include following general security best practices, such as limiting privileged operating system access to trusted users and running only trusted code. 

See Nuvoton’s security advisory for more details: https://www.nuvoton.com/support/security/security-advisories/sa-003/

Affected Product(s): NPCT65x TPM in 2.0 mode (only) with firmware 1.3.0.1, 1.3.1.0 & 1.3.2.8

NOTE: Upgrading to the firmware listed in the product table below will mitigate against CVE-2023-1017, however this fix will not be TCG, Common Criteria (CC) or FIPS 140 certified.  Nuvoton recommends that TPM 2.0 users apply the NPCT65x TPM 2.0 firmware update once available.

The TPM endorsement key contains TPM chip, and base TPM firmware version information which can be used to help identify affected systems. 

For Windows, use the Get-TpmEndorsementKeyInfo powershell command:

Get -TpmEndorsementKeyInfo

<details removed for readability>

ManufacturerCertificates : {[Subject]

     TPMManufacturer=id:4E544300 + TPMModel=NPCT6xx + TPMVersion=id:13

 

For Linux systems, tpm2-tools can assist in retrieving the TPM endorsement key certificate from the host system using the tpm2_getekcertificate command. OpenSSL can then be used to decode the endorsement key certificate:

tpm2_getekcertificate -o tpmek1.cer
openssl x509 -in tpmek1.cer-text -noout

<details removed for readability>

X509v3 Subject Alternative Name: critical
     DirName:/2.23.133.2.1=id:4E544300/2.23.133.2.2=NPCT6xx/2.23.133.2.3=id:13

 

NPCT6xx indicates the NPCT65x TPM chip is used.  id:13 indicates the TPM is in TPM 2.0 mode, running firmware v1.3.x, and may be affected.  id:0581 indicates the TPM is in TPM 1.2 mode, running firmware v5.81.x, and not affected as currently configured.

The TPM mode and specific firmware version in use can be found in UEFI Setup under System Settings -> Security -> Trusted Platform Module -> TPM <mode> -> TPM Firmware Version.  <mode> will indicate either 1.2 or 2.0.

 

Mitigation Strategy for Customers (what you should do to protect yourself):

Nuvoton recommends updating your firmware to the latest version (or newer) indicated for your model in the Product Impact section below.

Some systems may require multiple steps to update the TPM firmware, such as first installing an UEFI firmware update and then using UEFI Setup to update the TPM firmware. Additional guidance is provided in the Product Impact section below and in the update release notes.

A full AC power cycle (hard reset) will restore functionality to Nuvoton's NPCT65x TPM if it enters protection mode as a result of an attack related to this vulnerability. 

 

ThinkAgile customers:

For Nutanix software, see https://www.nutanix.com/trust/security-advisories for risk exposure, resolution and mitigations.

For VMware software and appliances, see https://www.vmware.com/security/advisories.html  for risk exposure, resolution and mitigations.

 

 

Product Impact:

To download the version specified for your product below, follow these steps:

Navigate to the Drivers & Software support site for your product:

  1. Search for your product by name or machine type.
  2. Click Drivers & Software on the left menu panel.
  3. Click on Manual Update to browse by Component type.
  4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:

PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759

Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center

 

Click below links to view affected products:

Converged HX

Hyperscale

Storage

System x

ThinkAgile

ThinkServer

ThinkStation

ThinkSystem

 

References:

https://www.nuvoton.com/support/security/security-advisories/sa-003/

https://support.lenovo.com/us/en/product_security/LEN-118374

https://www.nutanix.com/trust/security-advisories 

https://www.vmware.com/security/advisories.html

https://kb.cert.org/vuls/id/782720

 

Revision History:

Revision Date Description
8 2023-08-03 Updated product impact
7 2023-06-22 Updated product impact
6 2023-06-08 Updated product impact
5 2023-04-06 Updated product impact
4 2023-03-09 Updated product impact
3 2023-03-07 Fix Nuvoton url in Reference section
2 2023-03-03 Updated product impact
1 2023-02-28 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

 

Product Impact:

Converged HX

Product

Component

Default Shipped TPM Version

Minimum Fixed Version

Converged HX1310 Appliance

Lenovo System x3550 M5 UEFI Firmware

1.2

3.9

Converged HX2310-E Appliance

Lenovo System x3550 M5 UEFI Firmware

1.2

 

3.9

Converged HX3310 Nutanix Appliance

Lenovo System x3550 M5 UEFI Firmware

1.2

 

3.9

Converged HX3310-F Appliance

Lenovo System x3550 M5 UEFI Firmware

1.2

 

3.9

Converged HX3510-G Appliance

Lenovo System x3650 M5 UEFI Firmware

1.2

 

3.9

Converged HX5510 Appliance

Lenovo System x3650 M5 UEFI Firmware

1.2

 

3.9

Converged HX5510-C Appliance

Lenovo System x3650 M5 UEFI Firmware

1.2

 

3.9

Converged HX7510 Appliance

Lenovo System x3650 M5 UEFI Firmware

1.2

 

3.9

 


 

Hyperscale

Product

Component

Default TPM Version

Minimum Fixed Version

HR610X (Hyperscale)

BIOS - ThinkSystem HR610X/HR630X/HR650X

2.0

 

HR6N0666

R630X (HyperScale)

BIOS - ThinkSystem HR610X/HR630X/HR650X

2.0

HR6N0666

HR650X (Hyperscale)

BIOS - ThinkSystem HR610X/HR630X/HR650X

2.0

HR6N0666

 

 

Storage

Product

Component

Default TPM Version

Minimum Fixed Version

DX1100U (ThinkSystem)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

DX8200C Storage (StorSelect)

DX8200 UEFI Firmware

1.2

3.9

DX8200D Storage (StorSelect)

DX8200 UEFI Firmware

1.2

3.9

DX8200D(ThinkSystem)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

DX8200N Storage (StorSelect)

DX8200 UEFI Firmware

1.2

3.9

 

 

System x

Product

Component

Default TPM Version

Minimum Fixed Version

Compute Node - nx360 M5 (NeXtScale)

Lenovo NeXtScale nx360 M5 Compute Node UEFI Firmware

1.2

3.60

Compute Node - nx360 M5 water-cooled (NeXtScale)

Lenovo NeXtScale nx360 M5 Compute Node UEFI Firmware

1.2

3.60

Compute Node - x240 M5 (Flex)

Lenovo Flex Compute Node x240 M5 UEFI Firmware

1.2

3.70

Compute Node - x240 M5 (Flex)

Lenovo Flex System x240 M5 Compute Node UEFI Firmware

1.2

3.70

Compute Node - x280 X6 (Flex)

Lenovo Flex System x280 X6, x480 X6, and x880 X6 Compute Node UEFI Firmware

1.2

3.70

Compute Node - x480 X6 (Flex)

Lenovo Flex System x280 X6, x480 X6, and x880 X6 Compute Node UEFI Firmware

1.2

3.90

Compute Node - x880 X6 (Flex)

Lenovo Flex System x280 X6, x480 X6, and x880 X6 Compute Node UEFI Firmware

1.2

3.90

System x3250 M6

Lenovo System x3250 M6 UEFI Firmware

1.2

3.90

System x3500 M5

Lenovo System x3500 M5 UEFI Firmware

1.2

3.90

System x3550 M5

Lenovo System x3550 M5 UEFI Firmware

1.2

3.90

System x3650 M5

Lenovo System x3650 M5 UEFI Firmware

1.2

3.90

System x3850 X6

System x3850 X6 / x3950 X6 UEFI Firmware

1.2

5.40

System x3950 X6

System x3850 X6 / x3950 X6 UEFI Firmware

1.2

5.40

 

 

ThinkAgile

Product

Component

Default TPM Version

Minimum Fixed Version

HX1320 Appliance (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX1321 Certified Node (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

X1520-R Appliance (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX1521-R Certified Node (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

X2320 Appliance (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

X2320-E Appliance (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

X2321 Certified Node (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

X2720-E Appliance (ThinkAgile)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

HX3320 Appliance (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX3321 Certified Node (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

X3520-G Appliance (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX3521-G Certified Node (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX3720 Appliance (ThinkAgile)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

HX3721 Certified Node (ThinkAgile)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

HX5520 Appliance (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX5520-C Appliance (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX5521 Certified Node (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX5521-C Certified Node (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX7520 Appliance (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX7521 Certified Node (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

HX7820 Appliance (ThinkAgile)

Lenovo ThinkSystem SR950 UEFI Firmware (For AnyOS)

1.2

pse148j

HX7821 Certified Node (ThinkAgile)

Lenovo ThinkSystem SR950 UEFI Firmware (For AnyOS)

1.2

pse148j

MX 1U - MX3321 F (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

MX 1U - MX3321 H (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

MX3520 F Appliance - All flash (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

MX3520 H Appliance - Hybrid (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

ThinkAgile MX Certified Node – All Flash

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

ThinkAgile MX Certified Node – Hybrid

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

VX 1SE Certified Node (ThinkAgile)

SR250/SR150/ST250 UEFI Firmware (For AnyOS)

1.2

ise134f

VX 1U Certified Node (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

VX 2U Certified Node (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

VX 2U4N Certified Node (ThinkAgile)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

VX 4U Certified Node (ThinkAgile)

Lenovo ThinkSystem SR950 UEFI Firmware (For AnyOS)

1.2

pse148j

VX1320 (ThinkAgile)

SR250/SR150/ST250 UEFI Firmware (For AnyOS)

1.2

ise134f

VX2320 (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

VX3320 (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

VX3520-G (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

VX3720 (ThinkAgile)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

VX5520 (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

VX7320 N (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

VX7520 (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

VX7520 N (ThinkAgile)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

VX7820 (ThinkAgile)

Lenovo ThinkSystem SR950 UEFI Firmware (For AnyOS)

1.2

pse148j

 

ThinkServer

Product

Component

Default TPM Version

Minimum Fixed Version

Rack Server - RS160 (ThinkServer)

BIOS Update Utility for Windows (64-bit) - ThinkServer RS160

2.0

Service call required. Contact support.

Rack Server - RS260 (ThinkServer)

BIOS Update Utility for Windows (64-bit) - ThinkServer RS160

2.0

Service call required. Contact support.

Tower Server - TS460 (ThinkServer)

BIOS Update Utility for Windows (64-bit) - ThinkServer TS460

2.0

Service call required. Contact support.

Tower Server - TS560 (ThinkServer)

BIOS Update Utility for Windows (64-bit) - ThinkServer TS460

2.0

Service call required. Contact support.

 

ThinkStation

Product Component Default TPM Version Minimum Fixed Version
P920 Rack Workstation (ThinkStation) Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS) 1.2 ive182h

 

ThinkSystem

Product

Component

Default TPM Version

Minimum Fixed Version

SD530 (ThinkSystem)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

SD650 DWC Dual Node Tray (ThinkSystem)

Lenovo ThinkSystem SD650 UEFI Firmware (For AnyOS)

1.2

ote182h

SN550 (ThinkSystem)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

SN850 (ThinkSystem)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

SR150 (ThinkSystem)

SR250/SR150/ST250 UEFI Firmware (For AnyOS)

1.2

ise134f

SR158 (ThinkSystem)

SR250/SR150/ST250 UEFI Firmware (For AnyOS)

1.2

ise134f

SR250 (ThinkSystem)

SR250/SR150/ST250 UEFI Firmware (For AnyOS)

1.2

ise134f

SR258 (ThinkSystem)

SR250/SR150/ST250 UEFI Firmware (For AnyOS)

1.2

ise134f

SR530 (ThinkSystem)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

SR550 (ThinkSystem)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

SR570 (ThinkSystem)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

SR590 (ThinkSystem)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

SR630 (ThinkSystem)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

SR650 (ThinkSystem)

Lenovo ThinkSystem SR630/SR650/SN550/SN850 UEFI Firmware (For AnyOS)

1.2

ive182h

SR850 (ThinkSystem)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

SR850P (ThinkSystem)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

SR850P (ThinkSystem)

Lenovo ThinkSystem SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

SR860 (ThinkSystem)

Lenovo ThinkSystem SD530/SR530/SR550/SR570/SR590/SR850/SR860/SR850P UEFI Firmware (For AnyOS)

1.2

tee182h

SR950 (ThinkSystem)

Lenovo ThinkSystem SR950 UEFI Firmware (For AnyOS)

1.2

pse148j

ST250 (ThinkSystem)

SR250/SR150/ST250 UEFI Firmware (For AnyOS)

1.2

ise134f

ST258 (ThinkSystem)

SR250/SR150/ST250 UEFI Firmware (For AnyOS)

1.2

ise134f

ST550 (ThinkSystem)

Lenovo ThinkSystem ST550/ST558 UEFI Firmware (For AnyOS)

1.2

o0e182h

ST558 (ThinkSystem)

Lenovo ThinkSystem ST550/ST558 UEFI Firmware (For AnyOS)

1.2

o0e182h

 

 


Alias Id:LEN-118320
Document ID:PS500550
Original Publish Date:02/28/2023
Last Modified Date:08/03/2023