Translate

Thursday, October 26, 2017

Serious vulnerability: RSA-Keys generated by Infineon TPMs are Insecure

Normally I do not talk about single security vulnerabilities except there are really serious ones they are a little bit odd and out of the normal security scope (like patching vulnerable windows services which is done automatically during patch days). Here manual interaction is necessary!

Today we talk about a serious one in Infineon TPMs. Its a bug in the firmware implementation which unfortunatelly affects many different models from many different vendors. It is CVE-2017-15361, also referred to as "Return of Coppersmith's Attack" (ROCA).

ATTENTION!  Application of firmware update is not enough! You will need additional steps depending on Microsoft services and functions you used with TPM before!  e.g. Bitlocker, Active Directory etc!!!




Affected are INFINEON TPM chips which are used widely.

Here the MS Security Advisory (on first access you need to accept the EULA. Afterwards you may need to click this link again!!!)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012

Here is the Infineon Statement
https://www.infineon.com/TPM-update


List of affected models by vendor
(list not complete just major vendors included, but may include already the right firmware update packages by model!)


ACER
https://us.answers.acer.com/app/answers/detail/a_id/51137

Dell (nearly not affected)
http://www.dell.com/support/article/SLN307820

HP (Consumer)
https://support.hp.com/us-en/document/c05792935

HP (Enterprise Support)
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en_us

Lenovo
https://support.lenovo.com/us/en/product_security/LEN-15552

Fujitsu
http://www.fujitsu.com/global/support/products/software/security/products-f/ifsa-201701e.html

Toshiba
http://go.toshiba.com/tpmsecuritynotice


Known affected vendors (by 10/24/2017)
(for newer informations check the CVE above again!)
  • Atos SE
  • Dell
  • Fujitsu
  • Gemalto AV
  • Google
  • Hewlett Packard Enterprise
  • Infineon Technologies AG
  • Lenovo
  • Microsoft Corporation
  • Rubrik
  • WinMagic
  • Yubico

Microsoft Devices affected:

If your hardware is a Surface device, firmware updates are yet not available as of October 10, 2017. Microsoft is working to make firmware updates available for following affected devices and will provide links to the updates when they become available.

  • Surface Book
  • Surface Pro 3
  • Surface Pro 4
  • Surface Studio
  • Surface Hub
Note that the Surface 3, Surface Laptop, and the Surface Pro released in June 2017 are NOT affected by this vulnerability.

To check your own machine:
  1. Apply the latest MS October 2017 kummulative patch!
  2. Open "TPM.msc" 
  3. Check for the Status entry



Additional steps are needed!
Checkout therefore the Microsoft Advisory in section "Recommended Actions!"
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012


special thanks to Andreas Erber which brought me to attention of this!