Two security flaws in the TPM 2.0 specs put cryptographic keys at risk

TechSpot is about to celebrate its 25th anniversary. TechSpot means tech analysis and advice you can trust.

Facepalm: The Trusted Platform Module (TPM) secure crypto-processor became a topic for public debate in 2021 when Microsoft forced TPM 2.0 adoption as a minimum requirement for installing Windows 11. The dedicated hardware controller should provide “extra hard” security to data and cryptographic algorithms, but the official specifications are bugged.

Security researchers recently discovered a couple of flaws in the Trusted Platform Module (TPM) 2.0 reference library specification, two dangerous buffer overflow vulnerabilities that could potentially impact billions of devices. Exploiting the flaws is only possible from an authenticated local account, but a piece of malware running on an affected device could do exactly that.

The two vulnerabilities are tracked as CVE-2023-1017 and CVE-2023-1018, or as “out-of-bounds write” and “out-of-bounds read” flaws. The issue was discovered within the TPM 2.0’s Module Library, which allows writing (or reading) two “extra bytes” past the end of a TPM 2.0 command in the CryptParameterDecryption routine.

Also read: We Cannot Live Without Cryptography!

By writing specifically crafted malicious commands, an attacker could exploit the vulnerabilities to crash the TPM chip making it “unusable,” execute arbitrary code within TPM’s protected memory or read/access sensitive data stored in the (theoretically) isolated crypto-processor.

In other words, successful exploitation of the CVE-2023-1017 and CVE-2023-1018 flaws could compromise cryptographic keys, passwords and other critical data, making security features of modern, TPM-based operating systems like Windows 11 essentially useless or broken.

TPM provides a hardware number generator, secure generation and storage of cryptographic keys, remote attestation with a “nearly unforgeable” hash key summary of the hardware and software configuration, and other Trusted Computing functions. On Windows 11, the TPM can be used by DRM technology, Windows Defender, BitLocker full-disk encryption and more.

According to CERT Coordination Center at Carnegie Mellon University, a successful payload exploiting the vulnerabilities could run within the TPM and be essentially “undetectable” by security software or devices. The issue is resolved by installing the most recent firmware updates available for the user’s device, but the process is easier said than done.

While the flaws could theoretically impact billions of motherboards and software products, just a few companies have confirmed that they are indeed affected by the issue thus far. Chinese company Lenovo, the world’s largest PC manufacturer, acknowledged the issue in its Nuvoton line of TPM chips. An attacker could exploit the CVE-2023-1017 flaw to cause a denial of service issue in the Nuvoton NPCT65x TPM chip, Lenovo said.

Read More
Elida Antes

Latest

Berita celebrates milestone as ‘Namhlanje’ turns two months old

Music Celebrities Published on May 20, 2026 Berita is celebrating her...

What is a DAC? How to get better Lossless Audio on iPhone and Mac

Music Image: FoundryOliver Schusser, Apple’s Vice President in charge...

Nick Jonas Reveals Whether Daughter Malti Will Follow in His Musical Footsteps

Music About UsSubscribeContact UsFAQCareersClosed CaptioningWatch Full EpisodesSitemapE! International TV...

Newsletter

Don't miss

Berita celebrates milestone as ‘Namhlanje’ turns two months old

Music Celebrities Published on May 20, 2026 Berita is celebrating her...

What is a DAC? How to get better Lossless Audio on iPhone and Mac

Music Image: FoundryOliver Schusser, Apple’s Vice President in charge...

Nick Jonas Reveals Whether Daughter Malti Will Follow in His Musical Footsteps

Music About UsSubscribeContact UsFAQCareersClosed CaptioningWatch Full EpisodesSitemapE! International TV...

Global musicians go east as China becomes a major touring destination

MusicChina Entertainment News: Global musicians go east as...

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom