Thursday, October 26, 2017

Serious vulnerability: RSA-Keys generated by Infineon TPMs are Insecure

Normally I do not talk about single security vulnerabilities except there are really serious ones they are a little bit odd and out of the normal security scope (like patching vulnerable windows services which is done automatically during patch days). Here manual interaction is necessary!

Today we talk about a serious one in Infineon TPMs. Its a bug in the firmware implementation which unfortunatelly affects many different models from many different vendors. It is CVE-2017-15361, also referred to as "Return of Coppersmith's Attack" (ROCA).

ATTENTION!  Application of firmware update is not enough! You will need additional steps depending on Microsoft services and functions you used with TPM before!  e.g. Bitlocker, Active Directory etc!!!

Affected are INFINEON TPM chips which are used widely.

Here the MS Security Advisory (on first access you need to accept the EULA. Afterwards you may need to click this link again!!!)

Here is the Infineon Statement

List of affected models by vendor
(list not complete just major vendors included, but may include already the right firmware update packages by model!)


Dell (nearly not affected)

HP (Consumer)

HP (Enterprise Support)




Known affected vendors (by 10/24/2017)
(for newer informations check the CVE above again!)
  • Atos SE
  • Dell
  • Fujitsu
  • Gemalto AV
  • Google
  • Hewlett Packard Enterprise
  • Infineon Technologies AG
  • Lenovo
  • Microsoft Corporation
  • Rubrik
  • WinMagic
  • Yubico

Microsoft Devices affected:

If your hardware is a Surface device, firmware updates are yet not available as of October 10, 2017. Microsoft is working to make firmware updates available for following affected devices and will provide links to the updates when they become available.

  • Surface Book
  • Surface Pro 3
  • Surface Pro 4
  • Surface Studio
  • Surface Hub
Note that the Surface 3, Surface Laptop, and the Surface Pro released in June 2017 are NOT affected by this vulnerability.

To check your own machine:
  1. Apply the latest MS October 2017 kummulative patch!
  2. Open "TPM.msc" 
  3. Check for the Status entry

Additional steps are needed!
Checkout therefore the Microsoft Advisory in section "Recommended Actions!"

special thanks to Andreas Erber which brought me to attention of this!