TPM 2.0 Vulnerabilities
TPM 2.0 Vulnerabilities
TPM 2.0 Vulnerabilities
Lenovo Security Advisory: LEN-118374
Potential Impact: Information Disclosure, Escalation of Privilege
Severity: High
Scope of Impact: Industry-wide
CVE Identifier: CVE-2023-1017, CVE-2023-1018
Summary Description:
The following vulnerabilities were discovered in the TPM 2.0 reference implementation code published by the Trusted Computing Group which could potentially result in information disclosure or escalation of privilege.
CVE-2023-1017: An out of bounds write vulnerability has been have been identified in the TPM 2.0 reference implementation code published by the Trusted Computing Group.
CVE-2023-1018: An out of bounds read vulnerability has been have been identified in the TPM 2.0 reference implementation code published by the Trusted Computing Group.
NOTE: Nuvoton reported that an attacker who can successfully exploit CVE-2023-1017 can lead to denial of service in the Nuvoton NPCT65x TPM. Refer to LEN-118320 for impact on Lenovo products affected by Nuvoton SA-003.
Mitigation Strategy for Customers (what you should do to protect yourself):
ThinkAgile customers:
For Nutanix software, see https://www.nutanix.com/trust/security-advisories for risk exposure, resolution and mitigations.
For VMware software and appliances, see https://www.vmware.com/security/advisories.html for risk exposure, resolution and mitigations.
For products affected by Nuvoton-SA-003, refer to LEN-118320 for any required updates.
Lenovo is not aware of any other affected products.
References:
https://kb.cert.org/vuls/id/782720
https://support.lenovo.com/product_security/LEN-118320
https://www.nuvoton.com/support/security/security-advisories/sa-003/
https://www.nutanix.com/trust/security-advisories
https://www.vmware.com/security/advisories.html
Revision History:
Revision | Date | Description |
---|---|---|
3 | 2023-03-07 | Correct broken link |
2 | 2023-03-01 | Correct broken link |
1 | 2023-02-28 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Your feedback helps to improve the overall experience