6.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
5.1%
tpm2-tss is an open source software implementation of the Trusted Computing
Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In
affected versions Tss2_RC_SetHandler
and Tss2_RC_Decode
both index into
layer_handler
with an 8 bit layer number, but the array only has
TPM2_ERROR_TSS2_RC_LAYER_COUNT
entries, so trying to add a handler for
higher-numbered layers or decode a response code with such a layer number
reads/writes past the end of the buffer. This Buffer overrun, could result
in arbitrary code execution. An example attack would be a MiTM bus attack
that returns 0xFFFFFFFF for the RC. Given the common use case of TPM
modules an attacker must have local access to the target machine with local
system privileges which allows access to the TPM system. Usually TPM access
requires administrative privilege.
Author | Note |
---|---|
mdeslaur | accessing the TPM requires administrative privileges, so this is an unimportant attack scenario, setting priority to low |