Two security flaws in the TPM 2.0 specs put cryptographic keys at risk

TechSpot is about to celebrate its 25th anniversary. TechSpot means tech analysis and advice you can trust.

Facepalm: The Trusted Platform Module (TPM) secure crypto-processor became a topic for public debate in 2021 when Microsoft forced TPM 2.0 adoption as a minimum requirement for installing Windows 11. The dedicated hardware controller should provide “extra hard” security to data and cryptographic algorithms, but the official specifications are bugged.

Security researchers recently discovered a couple of flaws in the Trusted Platform Module (TPM) 2.0 reference library specification, two dangerous buffer overflow vulnerabilities that could potentially impact billions of devices. Exploiting the flaws is only possible from an authenticated local account, but a piece of malware running on an affected device could do exactly that.

The two vulnerabilities are tracked as CVE-2023-1017 and CVE-2023-1018, or as “out-of-bounds write” and “out-of-bounds read” flaws. The issue was discovered within the TPM 2.0’s Module Library, which allows writing (or reading) two “extra bytes” past the end of a TPM 2.0 command in the CryptParameterDecryption routine.

Also read: We Cannot Live Without Cryptography!

By writing specifically crafted malicious commands, an attacker could exploit the vulnerabilities to crash the TPM chip making it “unusable,” execute arbitrary code within TPM’s protected memory or read/access sensitive data stored in the (theoretically) isolated crypto-processor.

In other words, successful exploitation of the CVE-2023-1017 and CVE-2023-1018 flaws could compromise cryptographic keys, passwords and other critical data, making security features of modern, TPM-based operating systems like Windows 11 essentially useless or broken.

TPM provides a hardware number generator, secure generation and storage of cryptographic keys, remote attestation with a “nearly unforgeable” hash key summary of the hardware and software configuration, and other Trusted Computing functions. On Windows 11, the TPM can be used by DRM technology, Windows Defender, BitLocker full-disk encryption and more.

According to CERT Coordination Center at Carnegie Mellon University, a successful payload exploiting the vulnerabilities could run within the TPM and be essentially “undetectable” by security software or devices. The issue is resolved by installing the most recent firmware updates available for the user’s device, but the process is easier said than done.

While the flaws could theoretically impact billions of motherboards and software products, just a few companies have confirmed that they are indeed affected by the issue thus far. Chinese company Lenovo, the world’s largest PC manufacturer, acknowledged the issue in its Nuvoton line of TPM chips. An attacker could exploit the CVE-2023-1017 flaw to cause a denial of service issue in the Nuvoton NPCT65x TPM chip, Lenovo said.

Read More
Elida Antes

Latest

Airline spends four days without flying as bankruptcy rumors swirl

Please enable JS and disable any ad blocker

3 AI Memory Stocks to Watch in July 2026

AI memory stocks have been the loudest trade of 2026, as the scramble for the chips behind every AI server pushed prices and profits to records. But the three names below share the same strange split. The business has never looked stronger, yet the money flows are quietly turning cautious...

Zoomex X Space recap with David James and the World Cup trading panel

James said real pressure for keepers comes in the silence between shots. At Liverpool, City, Portsmouth and England, preparation shaped James. For traders too, instinct works only when built on the right information. Zoomex hosted the third episode of its World Cup Edition X Space as part of the Zoomex World Cup Impact Pledge, bringing

Kalyan Jewellers shares fall 6% despite 38% revenue growth in Q1

Home Market News Kalyan Jewellers shares fall 7% despite 38% revenue growth in Q1 Kalyan Jewellers' international business also maintained strong momentum, with revenue rising nearly 35% year-on-year. 2 Min Read Shares of Kalyan Jewellers India Ltd. fell as much as 7.5% in early trading on Tuesday, July 7, despite the jewellery retailer reported a

Newsletter

Don't miss

Airline spends four days without flying as bankruptcy rumors swirl

Please enable JS and disable any ad blocker

3 AI Memory Stocks to Watch in July 2026

AI memory stocks have been the loudest trade of 2026, as the scramble for the chips behind every AI server pushed prices and profits to records. But the three names below share the same strange split. The business has never looked stronger, yet the money flows are quietly turning cautious...

Zoomex X Space recap with David James and the World Cup trading panel

James said real pressure for keepers comes in the silence between shots. At Liverpool, City, Portsmouth and England, preparation shaped James. For traders too, instinct works only when built on the right information. Zoomex hosted the third episode of its World Cup Edition X Space as part of the Zoomex World Cup Impact Pledge, bringing

Kalyan Jewellers shares fall 6% despite 38% revenue growth in Q1

Home Market News Kalyan Jewellers shares fall 7% despite 38% revenue growth in Q1 Kalyan Jewellers' international business also maintained strong momentum, with revenue rising nearly 35% year-on-year. 2 Min Read Shares of Kalyan Jewellers India Ltd. fell as much as 7.5% in early trading on Tuesday, July 7, despite the jewellery retailer reported a

‘Worst thing about Cristiano Ronaldo’: Messi fan’s farewell to CR7 goes viral after Portugal vs Spain | World Cup 2026

Verified Messi fan Appie Cule has posted a lengthy farewell to Cristiano Ronaldo. This came after Spain beat Portugal 1-0 at the World Cup. That defeat effectively ended Ronaldo's World Cup career for good. Cule framed the post as Ronaldo's definitive "last dance" moment. The post argued Ronaldo had set impossibly-high standards for himself. It

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom