Sunday, 22 October 2017 18:44

Thoughts on the TPM Vulnerability ADV170012

Written by
Rate this item
(4 votes)


In a desperate effort to make this blog post worth reading and not go through the indignity of having to write about Windows 10 1709, I have turned to the headline-generating festival currently ongoing on the net: the vulnerability in Trusted Platform Module (TPM) produced by Infineon Technologies AG which could allow security feature bypass.

The debate over the security vulnerability in some of Infineon' TPM chipsets has been as long as it has been tedious, with the weakness theoretically allowing attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Authoritative voices with a far superior level of technical know-how than me (i.e. just about any other blog or a random 10-year old) will be able to fill you in on the details, but the whole story essentially boils down to whether or not you are affected by the security vulnerability in the RSA key generation method used by TPM products and if you are, how to remediate the issue.

Microsoft did not release any details how the vulnerability can be exploited and they did the right thing. The specifics aren't really important at this point because this decision gives companies some breathing room to assess the vulnerability and prepare remediation of affected services. Because this is the right thing to do.

Three things are important to note:

  1. This is a firmware vulnerability and not a vulnerability in the Windows operating system.
  2. As Keith Garner notes in his blog post Notes on Microsoft ADV170012 – TPM Madness: "A successful attack depends on conditions beyond the attacker’s control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected." 
  3. And finally, whenever or not you are directly affected and require direct remediation steps depends on the TPM specification you are using. For instance, the security of the BitLocker protection is affected only if the TPM firmware version is 1.2 because the keys the TPM protector uses are factorizable.

More practically, what this boils down to is that following manufacturers are affected: HP, Lenovo, Fujitsu and Toshiba. Dell systems appear not to be in danger since Dell Inc. (to my knowledge) does not use TPM chips produced by Infineon Technologies AG. 

Infineon issued firmware updates for Infineon’s Trusted Platform Modules based on TCG specification family 1.2 and 2.0 and affected manufacturers are in the process of releasing updates to customers that will address the vulnerability.

In the meantime, I decided to update my PowerShell script to support latest HP's TPM firmware updates. I do not have any Lenovo, Fujitsu or Toshiba hardware handy, so I would appreciate any help updating my script to support other manufacturers.

Read 5042 times Last modified on Monday, 23 October 2017 10:24

Recent Posts

  • Windows 10 21H2 Built-In Apps: What to Keep
    The development of the Windows 10, version 21H2 is finished and the update will soon be available for download from…
    Written on Wednesday, 20 October 2021 11:41
  • Group Policy Changes in Windows 10 21H2
    As Windows 10, version 21H2 update development winds down, Microsoft is now preparing for the final release of the Windows…
    Written on Wednesday, 20 October 2021 07:20
  • Group Policy Changes in Windows 10 20H1 Preview
    As Windows 10 Vibranium Update (20H1) development winds down, Microsoft is now beginning the phase of checking in the final…
    Written on Tuesday, 14 January 2020 04:51
  • An alternative ESU MAK Activation Solution
    This blog post was shared with me by a colleague of mine, Daniel Dorner, a Microsoft Premier Field Engineer. It’s…
    Written on Wednesday, 04 December 2019 21:04
  • The Case of Missing UE-V Templates
    My customers often deal with unexpected Windows behavior and this case is no different. This particular one is especially interesting…
    Written on Tuesday, 03 September 2019 12:20
  • The Case of Changing Default Printer
    While I sometimes long for the day when I no longer have to deal with unexpected Windows 10 behavior, there’s…
    Written on Wednesday, 14 August 2019 20:36