Please note: This website includes an accessibility system. Press Control-F11 to adjust the website to the visually impaired who are using a screen reader; Press Control-F10 to open an accessibility menu.

TPM 2.0 Vulnerabilities

TPM 2.0 Vulnerabilities

TPM 2.0 Vulnerabilities

Lenovo Security Advisory: LEN-118374

Potential Impact: Information Disclosure, Escalation of Privilege

Severity: High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2023-1017, CVE-2023-1018

 

Summary Description:

The following vulnerabilities were discovered in the TPM 2.0 reference implementation code published by the Trusted Computing Group which could potentially result in information disclosure or escalation of privilege.

CVE-2023-1017: An out of bounds write vulnerability has been have been identified in the TPM 2.0 reference implementation code published by the Trusted Computing Group.  

CVE-2023-1018: An out of bounds read vulnerability has been have been identified in the TPM 2.0 reference implementation code published by the Trusted Computing Group.  

NOTE: Nuvoton reported that an attacker who can successfully exploit CVE-2023-1017 can lead to denial of service in the Nuvoton NPCT65x TPM.  Refer to LEN-118320 for impact on Lenovo products affected by Nuvoton SA-003.

 

Mitigation Strategy for Customers (what you should do to protect yourself):

ThinkAgile customers:

           For Nutanix software, see https://www.nutanix.com/trust/security-advisories for risk exposure, resolution and mitigations.

           For VMware software and appliances, see https://www.vmware.com/security/advisories.html  for risk exposure, resolution and mitigations.

For products affected by Nuvoton-SA-003, refer to LEN-118320 for any required updates.

Lenovo is not aware of any other affected products.

 

References:

https://kb.cert.org/vuls/id/782720

https://support.lenovo.com/product_security/LEN-118320

https://www.nuvoton.com/support/security/security-advisories/sa-003/

https://www.nutanix.com/trust/security-advisories

https://www.vmware.com/security/advisories.html

 

Revision History:

Revision Date Description
3 2023-03-07 Correct broken link
2 2023-03-01 Correct broken link 
1 2023-02-28 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.


Alias Id:LEN-118374
Document ID:PS500551
Original Publish Date:02/28/2023
Last Modified Date:03/07/2023