Today we talk about a serious one in Infineon TPMs. Its a bug in the firmware implementation which unfortunatelly affects many different models from many different vendors. It is CVE-2017-15361, also referred to as "Return of Coppersmith's Attack" (ROCA).
ATTENTION! Application of firmware update is not enough! You will need additional steps depending on Microsoft services and functions you used with TPM before! e.g. Bitlocker, Active Directory etc!!!
Affected are INFINEON TPM chips which are used widely.
Here the MS Security Advisory (on first access you need to accept the EULA. Afterwards you may need to click this link again!!!)
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012
Here is the Infineon Statement
https://www.infineon.com/TPM-update
List of affected models by vendor
(list not complete just major vendors included, but may include already the right firmware update packages by model!)
ACER
https://us.answers.acer.com/app/answers/detail/a_id/51137
Dell (nearly not affected)
http://www.dell.com/support/article/SLN307820
HP (Consumer)
https://support.hp.com/us-en/document/c05792935
HP (Enterprise Support)
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en_us
Lenovo
https://support.lenovo.com/us/en/product_security/LEN-15552
Fujitsu
http://www.fujitsu.com/global/support/products/software/security/products-f/ifsa-201701e.html
Toshiba
http://go.toshiba.com/tpmsecuritynotice
Known affected vendors (by 10/24/2017)
(for newer informations check the CVE above again!)
- Atos SE
- Dell
- Fujitsu
- Gemalto AV
- Hewlett Packard Enterprise
- Infineon Technologies AG
- Lenovo
- Microsoft Corporation
- Rubrik
- WinMagic
- Yubico
Microsoft Devices affected:
If your hardware is a Surface device, firmware updates are yet not available as of October 10, 2017. Microsoft is working to make firmware updates available for following affected devices and will provide links to the updates when they become available.
- Surface Book
- Surface Pro 3
- Surface Pro 4
- Surface Studio
- Surface Hub
Note that the Surface 3, Surface Laptop, and the Surface Pro released in June 2017 are NOT affected by this vulnerability.
To check your own machine:
To check your own machine:
- Apply the latest MS October 2017 kummulative patch!
- Open "TPM.msc"
- Check for the Status entry
Additional steps are needed!
Checkout therefore the Microsoft Advisory in section "Recommended Actions!"
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012
special thanks to Andreas Erber which brought me to attention of this!