SA-003: Denial of Service via Out-of-Bounds write to TPM
Vulnerability Type: Out-of-bounds Write
Affected Product(s): NPCT65x with Firmware 1.3.0.1, 1.3.1.0 & 1.3.2.8
Fixed Product(s): Firmware Version: 1.3.2.20. For details on firmware updates, please contact the system OEM.
Workaround: A full power cycle (hard reset) will restore functionality to NPCT65x.
Attack Type: Local
Impact: Denial of Service
Affected Components: The entire TPM.
Attack Vector: Attempted memory corruption via out of bounds write.
Severity: Medium (Note – the scoring referenced in the general CVE for this vulnerability is incorrect when applied to Nuvoton TPM NPCT65x. In Nuvoton’s implementation, the scoring referenced in this Security Advisory under “Severity” is the correct one.)
Detailed Description: An out-of-bounds write vulnerability exists in TPM2.0's Module Library. An attacker who can successfully exploit this vulnerability can lead to denial of service in Nuvoton TPM NPCT65x. The attack does not succeed in writing to or corrupting the NPCT65x but does cause the NPCT65x to become inaccessible as it enters a recoverable protection mode intended to safeguard the NPCT65x and its contents.
NOTE: Upgrading to firmware version 1.3.2.20 will fully correct this issue; however, version 1.3.2.20 is not FIPS, TCG or Common Criteria (CC) certified (though functionality wise, there are no real differences between versions 1.3.2.8 and 1.3.2.20). For those who are unable to update to firmware version 1.3.2.20, please note the workaround above.
Discoverer(s)/Credits:
Disclosure: TCG TPM2.0 implementations vulnerable to memory corruption
Researcher: Francisco Falcon of Quarkslab
CVE Identifier: CVE-2023-1017