IBM7B97A05E3FB39B6614F598512F25D2B4479371A2B81C59F392857E70BA26C55ASecurity Bulletin: This Power System update is being released to address CVE-2023-1017 and CVE-2023-1018
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
20.5%
Summary
An attacker with access to the host could send malformed commands to the TPM which would result in a TPM DoS. A complete power cycle of the system is required to recover.
Vulnerability Details
CVEID:CVE-2023-1017
**DESCRIPTION:**Trusted Computing Group Trusted Platform Module could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in the CryptParameterDecryption routine. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the TPM context or crash the TPM chip/process or rendering it unusable.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248634 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-1018
**DESCRIPTION:**Trusted Computing Group Trusted Platform Module could allow a local authenticated attacker to obtain sensitive information, caused by an out-of-bounds read in the CryptParameterDecryption routine. By sending a specially crafted request, an attacker could exploit this vulnerability to read or access sensitive data stored in the TPM.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248636 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Host firmware | OP940.00 - OP940.60 |
Remediation/Fixes
Customers with the products below should install OP940.70 or newer to remediate this vulnerability.
Power 9
- IBM Power System AC922 (8335-GTG, 8335-GTX)
When the FW listed above has been installed there are additional configuration options available to enable you to completely disable the TPM to avoid any possible malicious entity from performing the attack described. To complete the mitigation of this attack follow these instructions:
Login as root to the target BMC:
Set TPMEnable (aka TPM required) to false
busctl set-property xyz.openbmc_project.Settings /xyz/openbmc_project/control/host0/TPMEnable xyz.openbmc_project.Control.TPM.Policy TPMEnable b false
Set TPMDisable to true
busctl set-property xyz.openbmc_project.Settings /xyz/openbmc_project/control/host0/TPMDisable xyz.openbmc_project.Control.TPM.Policy TPMDisable b true
To validate both sensors are set correctly:
busctl get-property xyz.openbmc_project.Settings /xyz/openbmc_project/control/host0/TPMEnable xyz.openbmc_project.Control.TPM.Policy TPMEnable
busctl get-property xyz.openbmc_project.Settings /xyz/openbmc_project/control/host0/TPMDisable xyz.openbmc_project.Control.TPM.Policy TPMDisable
You will also see the following from the console when it is disabled:
No TPM chip found, activating TPM-bypass!
Workarounds and Mitigations
Limit access to run arbitrary commands to the TPM.
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
20.5%