Vulnerability Type: Out-of-bounds Write

Affected Product(s): NPCT65x with Firmware 1.3.0.1, 1.3.1.0 & 1.3.2.8

Fixed Product(s): Firmware Version: 1.3.2.20. For details on firmware updates, please contact the system OEM.

Workaround: A full power cycle (hard reset) will restore functionality to NPCT65x.

Attack Type: Local

Impact: Denial of Service

Affected Components: The entire TPM.

Attack Vector: Attempted memory corruption via out of bounds write.

Severity: Medium (Note – the scoring referenced in the general CVE for this vulnerability is incorrect when applied to Nuvoton TPM NPCT65x. In Nuvoton’s implementation, the scoring referenced in this Security Advisory under “Severity” is the correct one.)

Detailed Description: An out-of-bounds write vulnerability exists in TPM2.0's Module Library. An attacker who can successfully exploit this vulnerability can lead to denial of service in Nuvoton TPM NPCT65x.  The attack does not succeed in writing to or corrupting the NPCT65x but does cause the NPCT65x to become inaccessible as it enters a recoverable protection mode intended to safeguard the NPCT65x and its contents.

NOTE: Upgrading to firmware version 1.3.2.20 will fully correct this issue; however, version 1.3.2.20 is not FIPS, TCG or Common Criteria (CC) certified (though functionality wise, there are no real differences between versions 1.3.2.8 and 1.3.2.20). For those who are unable to update to firmware version 1.3.2.20, please note the workaround above.

Discoverer(s)/Credits:

Disclosure: TCG TPM2.0 implementations vulnerable to memory corruption

Researcher: Francisco Falcon of Quarkslab

CVE Identifier: CVE-2023-1017