Sunday, 22 October 2017 18:44

Thoughts on the TPM Vulnerability ADV170012

Written by
Rate this item
(4 votes)


In a desperate effort to make this blog post worth reading and not go through the indignity of having to write about Windows 10 1709, I have turned to the headline-generating festival currently ongoing on the net: the vulnerability in Trusted Platform Module (TPM) produced by Infineon Technologies AG which could allow security feature bypass.

The debate over the security vulnerability in some of Infineon' TPM chipsets has been as long as it has been tedious, with the weakness theoretically allowing attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Authoritative voices with a far superior level of technical know-how than me (i.e. just about any other blog or a random 10-year old) will be able to fill you in on the details, but the whole story essentially boils down to whether or not you are affected by the security vulnerability in the RSA key generation method used by TPM products and if you are, how to remediate the issue.

Microsoft did not release any details how the vulnerability can be exploited and they did the right thing. The specifics aren't really important at this point because this decision gives companies some breathing room to assess the vulnerability and prepare remediation of affected services. Because this is the right thing to do.

Three things are important to note:

  1. This is a firmware vulnerability and not a vulnerability in the Windows operating system.
  2. As Keith Garner notes in his blog post Notes on Microsoft ADV170012 – TPM Madness: "A successful attack depends on conditions beyond the attacker’s control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected." 
  3. And finally, whenever or not you are directly affected and require direct remediation steps depends on the TPM specification you are using. For instance, the security of the BitLocker protection is affected only if the TPM firmware version is 1.2 because the keys the TPM protector uses are factorizable.

More practically, what this boils down to is that following manufacturers are affected: HP, Lenovo, Fujitsu and Toshiba. Dell systems appear not to be in danger since Dell Inc. (to my knowledge) does not use TPM chips produced by Infineon Technologies AG. 

Infineon issued firmware updates for Infineon’s Trusted Platform Modules based on TCG specification family 1.2 and 2.0 and affected manufacturers are in the process of releasing updates to customers that will address the vulnerability.

In the meantime, I decided to update my PowerShell script to support latest HP's TPM firmware updates. I do not have any Lenovo, Fujitsu or Toshiba hardware handy, so I would appreciate any help updating my script to support other manufacturers.

Read 619 times Last modified on Monday, 23 October 2017 10:24

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Recent Posts

  • Automating Multi-node Tableau Server Environment
    After a few weeks off, I am delighted to announce that I have returned full time, once again delivering somewhat…
    Written on Monday, 19 February 2018 11:01
  • The Case of Missing TPM P@ssword
    As my regular blog readers will be aware (yes, all three of you), there is something increasingly traditional about me…
    Written on Thursday, 25 January 2018 10:04
  • The Case of "Just a Moment..."
    A key part of any complete end-to-end deployment project is analysis of the resulting logs to identify root causes for…
    Written on Tuesday, 16 January 2018 12:57
  • How to Automate Input Preferences during OSD
    A few days ago I stumbled upon a question on the Microsoft Deployment Toolkit (MDT) forum where a user asked…
    Written on Monday, 15 January 2018 12:36
  • Disabling Cortana Voice Support during OOBE
    Yesterday I came across a Twitter thread in which multiple users detailed their beef with the revamped setup experience of…
    Written on Tuesday, 12 December 2017 10:04
  • Fixing "Windows update reboot is pending" during OSD
    Automated OS deployment became common as IT professionals install systems using tools like Microsoft Deployment Toolkit or System Center Configuration…
    Written on Tuesday, 28 November 2017 08:44