Uncategorized

more on Infineon TPM issue

The UK gov guidance was also recently updated, so maybe worth a re-read:
https://www.ncsc.gov.uk/guidance/roca-infineon-tpm-and-secure-element-rsa-vulnerability-guidance

https://blog.cr.yp.to/20171105-infineon.html

https://blog.habets.se/2017/10/Is-my-TPM-affected-by-the-Infineon-disaster.html
https://github.com/ThomasHabets/simple-tpm-pk11/blob/master/check-srk/check-srk.cc

https://crocs.fi.muni.cz/public/papers/rsa_ccs17

http://mickitblog.blogspot.com/2017/10/infineon-tpm-vulnerability-report-using.html

http://www.thesccm.com/configmgr-query-infineon-firmware-tpm-microsoft-advisory-adv170012/

https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

Encryption chip flaw afflicts huge number of computers

https://dl.acm.org/citation.cfm?id=3133969

Standard
Uncategorized

more on Infineon TPM issue

https://www.rsa.com/en-us/blog/2017-10/roca-blaming-infineon-is-the-easy-way-out

https://www.ncsc.gov.uk/guidance/roca-infineon-tpm-and-secure-element-rsa-vulnerability-guidance

https://lwn.net/Articles/736736/

https://lkml.org/lkml/2017/10/25/382

https://blog.rapid7.com/2017/10/25/roca-vulnerable-rsa-key-generation/

https://en.wikipedia.org/wiki/ROCA_vulnerability

http://www.cvedetails.com/cve/CVE-2017-15361/
http://www.securityfocus.com/bid/101484
https://www.cvedetails.com/bugtraq-bid/101484/Infineon-RSA-Library-CVE-2017-15361-Cryptographic-Security-B.html

Vulnerability in code library permits attackers to work out private RSA keys

https://answers.microsoft.com/en-us/windows/forum/windows_10-update/windows-10-update-version-1703/f5fa72fe-3d59-45d4-a4c4-eb849774b657?auth=1

 

Standard
Uncategorized

more on Infineon TPM issue

Simple PowerShell script to check whether a computer is using an Infineon TPM chip that is vulnerable to CVE-2017-15361.
https://github.com/lva/Infineon-CVE-2017-15361

Windows tool that analyzes your computer for Infineon TPM weak RSA keys (CVE-2017-15361)
https://github.com/jnpuskar/RocaCmTest

Infineon Embedded Linux TPM Toolbox 2 (ELTT2) for TPM 2.0
https://github.com/Infineon/eltt2

Google response:
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

Toshiba response:
https://support.toshiba.com/sscontent?contentId=4015874

Lenovo response:
https://support.lenovo.com/us/en/product_security/len-15552

HPE response:
https://support.hp.com/us-en/document/c05792935

Standard
Uncategorized

more on Infineon TPM issue (ROCA)

http://blog.ptsecurity.com/2017/10/a-major-flaw-in-popular-encryption.html

ROCA: Vulnerable RSA generation (CVE-2017-15361)

A newly discovered vulnerability in generation of RSA keys used by a software library adopted in cryptographic smartcards, security tokens and other secure hardware chips manufactured by Infineon Technologies AG allows for a practical factorization attack, in which the attacker computes the private part of an RSA key. The attack is feasible for commonly used key lengths, including 1024 and 2048 bits, and affects chips manufactured as early as 2012, that are now commonplace. Assess your keys now with the provided offline and online detection tools and contact your vendor if you are affected. Major vendors including Microsoft, Google, HP, Lenovo, Fujitsu already released the software updates and guidelines for a mitigation. Full details including the factorization method will be released in 2 weeks at the ACM CCS conference as ‘The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli’ (ROCA) research paper.

https://crocs.fi.muni.cz/public/papers/rsa_ccs17

 

Standard
Uncategorized

more on Infineon TPM issue

Re: the recent Infineon TPM problem, more and more downstream problems are being discovered. The main news presses have lots of stories on this now.

 

Standard
Uncategorized

ChromeOS impact of Infineon TPM problem

More on: https://firmwaresecurity.com/2017/10/10/infineon-tpms-generating-weak-keys/

“You can check the TPM firmware running on your device by looking at the firmware_version line of the tpm_version entry in chrome://system. If the tpm_version entry is absent, this is likely because you are running an old Chrome OS version which doesn’t report this information. Upgrade to a newer version and check again.”

https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

 

Standard
Uncategorized

Infineon TPMs generating weak keys?

https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160

https://eesage.com/pages/103061850-tpm-update

ADV170012 | Vulnerability in TPM could allow Security Feature Bypass – A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key strength. It is important to note that this is a firmware vulnerability, and not a vulnerability in the operating system or a specific application. After you have installed software and/or firmware updates, you will need to re-enroll in any security services you are running to remediate those services.

Nice, Microsoft makes you agree to a EULA before you can view the web page. 😦

https://www.ghacks.net/2017/10/10/microsoft-security-updates-october-2017-release/

 

Standard