Two out-of-bounds buffer overflow vulnerabilities have been found in the TPM 2.0 system hardware used across all Windows 11 devices. A TPM (Trusted Platform Module) is a processor used for hardware-based cryptographic operations, to secure encryption keys, and protect the boot process by defending against malicious tampering. Microsoft made it a requirement for PCs to have TPM 2.0 in order to run Windows 11 due to the security it provides to the boot process, and for authentication control procedures such as Windows Hello. TPMs are also used by Linux computers however there is no specific requirement for their use in the operating system.  

The two vulnerabilities found in TPM 2.0 are in the reference implementation code published by Trusted Computing Group, who released a security bulletin informing users that exploitation of these flaws could result in information disclosure, or elevation of privileges. Out-of-bounds write vulnerability CVE-2023-1017 found in the Module Library could allow 2 bytes of data to be written past the end of the command in the CryptParameterDecryption routine. A malicious actor exploiting this flaw could cause the TPM chip to crash resulting in denial of service or trigger arbitrary code execution in the system. An unsuccessful attack could still result in the TPM becoming inaccessible, as detailed in Lenovo’s security advisory, if the attack causes the module to enter a protected state, which can only be resolved through a hard reset. The second vulnerability CVE-2023-1018 is an out-of-bound read vulnerability found in the same routine of the Module Library, CryptParameterDecryption. An exploit of this flaw could allow an attacker to read or access any data stored on the TPM, including sensitive data such as cryptographic keys. 

Fixed versions of the TPM 2.0 library specification are available to upgrade to in order to patch these flaws. TPM 2.0 library Specifications v1.59 Errata Version 1.4 or higher, v1.38 Errata Version 1.13 or higher, and v1.16 Errata Version 1.6 or higher can all be found on the Trusted Computing Group website. For an exploit of these flaws to take place, an attacker would need authenticated local access to the target device. However, as the presence of malware running on the target machine could satisfy these conditions, all users with TPMs installed should apply these upgrades as soon as possible by installing updated firmware for their TPM when it is made available by their PC manufacturer.