TPM chips used in computers of various types have been found to be vulnerable to two new attack types. These hardware components are part of motherboards used in various industries and case scenarios. New security research shows that malicious actors can potentially tamper with the configuration process.
TPM Chips Vulnerabilities Can Manipulate the Configuration Settings of Computers
A new dangerous vulnerability has been identified in the TPM chip used in a wide variety of computers. Their long names mean “Trusted Platform Module” and represent special microcrontrollers that are used in hardware authentication checks. This is an important security operation that makes sure that the specified device possesses the correct identify in order to run the installed operating system. While this is not mandatory with personal computers belonging to ordinary users, it is an important procedure with government or business systems that control important infrastructure. Dedicated specifications oversee the TPM chip procedures.
Recently security researchers from South Korea identified two TPM chip attacks that result in the discovery of a specific vulnerability. They allow a malicious user to tamper with the boot configuration thereby allowing for dangerous conditions to take place. Modifications can modify the boot order by running the first boot device from a removable device which can launch a hostile operating system.
The first attack acts against devices employing a TMP chip set as a static root of trust for measurement (SRTM). The hacker tactic is to abuse power interrupts which can trick the components into running non-secure variables. According to the researchers this is a specification fault. As a result of this the criminals can effectively bypass the placed security measures. A solution is a hardware patch that will remedy the BIOS/UEFI configuration options allowing this.
The second TPM attack targets chips that are set as a dynamic root of trust for measurement (DRTM). It affects only machines that run on the Intel’s Trusted eXecution Technology (TXT) during the boot-up procedures. The researchers point out that here the cause of the vulnerability is a flaw in the Trusted Boot component which is an open-source library implemented by Intel. A patch has been issued last year however not all hardware vendors have updated their BIOS/UEFI images with it.
The two issues have received a security advisory that is tracked in these two CVE entries:
- CVE-2018-6622 — An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. An abnormal case is not handled properly by this firmware while S3 sleep and can clear TPM 2.0. It allows local users to overwrite static PCRs of TPM and neutralize the security features of it, such as seal/unseal and remote attestation.
- CVE-2017-16837 — Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not validated and can cause arbitrary code execution, which allows local users to overwrite dynamic PCRs of Trusted Platform Module (TPM) by hooking these function pointers.
There are several ways that the issue can be fixed. One of it is to disable the S3 sleeping state in the BIOS/UEFI menu as it has been found to pass on certain parameters to the TPM chips The second approach is to revise the TPM 2.0 specifications into executing alternative actions upon encountering certain conditions. However the most effective solution is to apply the latest update to the BIOS/UEFI module which fixes the issue. The users will need to monitor the release notes for mentions of the above-mentioned CVE advisories.
For more information on the issue you can read the presentation.