dgarske
commented
1 year ago Hi @sei-vsarvepalli ,
This came to my attention yesterday and reviewed the TCGVRT0007-Advisory-FINAL.pdf and the CERCC reports. These vulnerabilities do not affect wolfTPM. It only affects software TPM (swtpm). There should also be no issues with any physical TPM devices.
The vulnerabilities are in the TPM reference code “CryptParameterDecryption()". The issue is the TPM side and handling of arguments where length is not checked that allows an attacker to read or write two bytes past the buffer.
Thanks, David Garske, wolfSSL
Hello WolfSSL TPM Crew,
Can you please consider a response to these two vulnerabilities disclosed by @CERTCC https://kb.cert.org/vuls/id/782720
We have tried to reach your PSIRT but so far not been able to get a response. Your response is appreciated. @JacobBarthelmeh is the only contact we have reached out to.
Thanks
https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pdf