tpm2-tss-2.3.2-5.el8

エラータID: AXSA:2023-7284:03

Release date: 
Tuesday, December 26, 2023 - 01:17
Subject: 
tpm2-tss-2.3.2-5.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Low
Description: 

tpm2-tss is a software stack supporting Trusted Platform Module(TPM) 2.0 system APIs. It sits between TPM driver and applications, providing TPM2.0 specified APIs for applications to access TPM module through kernel TPM drivers.

Security Fix(es):

* tpm2-tss: Buffer Overlow in TSS2_RC_Decode (CVE-2023-22745)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-22745
tpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In affected versions `Tss2_RC_SetHandler` and `Tss2_RC_Decode` both index into `layer_handler` with an 8 bit layer number, but the array only has `TPM2_ERROR_TSS2_RC_LAYER_COUNT` entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. This Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC. Given the common use case of TPM modules an attacker must have local access to the target machine with local system privileges which allows access to the TPM system. Usually TPM access requires administrative privilege.

Solution: 

Update packages.

CVEs: 
CVE-2023-22745
tpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In affected versions `Tss2_RC_SetHandler` and `Tss2_RC_Decode` both index into `layer_handler` with an 8 bit layer number, but the array only has `TPM2_ERROR_TSS2_RC_LAYER_COUNT` entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. This Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC. Given the common use case of TPM modules an attacker must have local access to the target machine with local system privileges which allows access to the TPM system. Usually TPM access requires administrative privilege.
Additional Info: 

N/A

Download: 

SRPMS
  1. tpm2-tss-2.3.2-5.el8.src.rpm
    MD5: 0510e7eb55dc960ba201e6ee4bb0f8b8
    SHA-256: f75da9de61c5f882cc2ef406519fe09767f7be611c4932093dad515ac5ab9559
    Size: 1.07 MB

Asianux Server 8 for x86_64
  1. tpm2-tss-2.3.2-5.el8.i686.rpm
    MD5: ed036344ed812fd80aef312ab392cae6
    SHA-256: 7cefd19bedf682bd3f023a8821f79e71a555365aef689f278435f72e01a866b6
    Size: 233.39 kB
  2. tpm2-tss-2.3.2-5.el8.x86_64.rpm
    MD5: 46f480775f79ac4d50b6c85615adeecb
    SHA-256: a0ae7d4f20a7c1341134346b92240a14e834f6d3239bd30790a0d02fdc32cc2d
    Size: 274.16 kB
  3. tpm2-tss-devel-2.3.2-5.el8.i686.rpm
    MD5: f14739b0797c60a83dfdb16ebe589ca5
    SHA-256: 7f3db028898e88649b08dad50a7b60a3806bfb44189ce20c48a72b055d28dd4c
    Size: 242.20 kB
  4. tpm2-tss-devel-2.3.2-5.el8.x86_64.rpm
    MD5: e985b4fd3d500395c323cfc27e401c7a
    SHA-256: 71526bc4fdb73af5c77a551ad96d8cf1e90cca5053184a82e56d649bdf568eed
    Size: 242.21 kB