Uncategorized

Toshiba: Infineon TPMs, Security Feature Bypass Vulnerability

Infineon Technologies Trusted Platform Modules (TPMs), Security Feature Bypass Vulnerability

Document ID: 4015874
Posted Date: 2018-03-20
Last Updated: 2018-03-20

Infineon® Technologies Trusted Platform Modules (TPMs), Security Feature Bypass Vulnerability

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Potential Security Impact: A security vulnerability exists in certain Trusted Platform Module (TPM) firmware. The vulnerability weakens key strength. It is important to note that this is a firmware vulnerability, and not a vulnerability in the operating system or a specific application. Toshiba is working closely with Infineon® to validate their fix and ensure it works across Toshiba’s range of products. Until firmware updates are available, it is recommended that people and companies using Toshiba PCs and devices that incorporate TPMs to take steps to maintain the security of their systems and information.

Toshiba’s TPM Firmware Release Schedule:[…]
Source: Infineon® & Microsoft® Security TechCenter

https://support.toshiba.com/sscontent?contentId=4015874

Standard
Uncategorized

new ChromeOS TPM security feature

https://www.androidpolice.com/2018/02/18/google-releases-optional-security-update-chromebooks-wipes-local-data/

https://www.techrepublic.com/article/chromebook-update-boosts-security-but-wipes-all-data-in-the-process/

https://chromeunboxed.com/news/tpm-update-chrome-os-how-to-chromebook

https://www.chromium.org/chromium-os/tpm_firmware_update

https://productforums.google.com/forum/#!topic/chromebook-central/eo2HZeDVjr8

https://www.infineon.com/cms/en/product/promopages/tpm-update/

 

Standard
Uncategorized

INTEL-001-04 security advisory: Intel NUC and Infineon TPM

Intel® NUC Kit with Infineon Trusted Platform Module

Intel ID: INTEL-SA-00104
Product family: Intel® NUC Kit
Impact of vulnerability: Information Disclosure
Severity rating: Important
Original release: Jan 16, 2018
Last revised: Jan 16, 2018

Certain Intel® NUC systems contain an Infineon Trusted Platform Module (TPM) that has an information disclosure vulnerability as described in CVE-2017-15361.

Recently, a research team developed advanced mathematical methods to exploit the characteristics of acceleration algorithms for prime number finding, which are common practice today for RSA key generation. For more information please reference the public advisory issued by Infineon.

Intel highly recommends users make sure they have the appropriate Windows operating system patches to work around this vulnerability.

For customers that require a firmware upgrade please contact Intel Customer Support at https://www.intel.com/content/www/us/en/support.html for assistance.

All newly manufactured Intel® NUC systems that contain the Infineon TPM have been updated with the updated firmware from Infineon.

 

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00104&languageid=en-fr

 

Standard
Uncategorized

more on Infineon TPM issue

The UK gov guidance was also recently updated, so maybe worth a re-read:
https://www.ncsc.gov.uk/guidance/roca-infineon-tpm-and-secure-element-rsa-vulnerability-guidance

https://blog.cr.yp.to/20171105-infineon.html

https://blog.habets.se/2017/10/Is-my-TPM-affected-by-the-Infineon-disaster.html
https://github.com/ThomasHabets/simple-tpm-pk11/blob/master/check-srk/check-srk.cc

https://crocs.fi.muni.cz/public/papers/rsa_ccs17

http://mickitblog.blogspot.com/2017/10/infineon-tpm-vulnerability-report-using.html

http://www.thesccm.com/configmgr-query-infineon-firmware-tpm-microsoft-advisory-adv170012/

https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

Encryption chip flaw afflicts huge number of computers

https://dl.acm.org/citation.cfm?id=3133969

Standard
Uncategorized

more on Infineon TPM issue

https://www.rsa.com/en-us/blog/2017-10/roca-blaming-infineon-is-the-easy-way-out

https://www.ncsc.gov.uk/guidance/roca-infineon-tpm-and-secure-element-rsa-vulnerability-guidance

https://lwn.net/Articles/736736/

https://lkml.org/lkml/2017/10/25/382

https://blog.rapid7.com/2017/10/25/roca-vulnerable-rsa-key-generation/

https://en.wikipedia.org/wiki/ROCA_vulnerability

http://www.cvedetails.com/cve/CVE-2017-15361/
http://www.securityfocus.com/bid/101484
https://www.cvedetails.com/bugtraq-bid/101484/Infineon-RSA-Library-CVE-2017-15361-Cryptographic-Security-B.html

Vulnerability in code library permits attackers to work out private RSA keys

https://answers.microsoft.com/en-us/windows/forum/windows_10-update/windows-10-update-version-1703/f5fa72fe-3d59-45d4-a4c4-eb849774b657?auth=1

 

Standard
Uncategorized

more on Infineon TPM issue

Simple PowerShell script to check whether a computer is using an Infineon TPM chip that is vulnerable to CVE-2017-15361.
https://github.com/lva/Infineon-CVE-2017-15361

Windows tool that analyzes your computer for Infineon TPM weak RSA keys (CVE-2017-15361)
https://github.com/jnpuskar/RocaCmTest

Infineon Embedded Linux TPM Toolbox 2 (ELTT2) for TPM 2.0
https://github.com/Infineon/eltt2

Google response:
https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

Toshiba response:
https://support.toshiba.com/sscontent?contentId=4015874

Lenovo response:
https://support.lenovo.com/us/en/product_security/len-15552

HPE response:
https://support.hp.com/us-en/document/c05792935

Standard