Finding the Achilles’ heel of TPM

Topic

New Reply

ISSUE 21.28 • 2024-07-08 BEN’S WORKSHOP By Ben Myers Eclypsium, a security firm, recently discovered a vulnerability in the system-board firmware supp
[See the full post at: Finding the Achilles’ heel of TPM]

13 users thanked author for this post.

ibe98765, Ramiah Ramasubramanian, a, IBM1130, Norio, fisher75, abbodi86, T-J-N, DLivesInTexas, windbg, RetiredGeek, jburk07, lmacri

Reply | Quote

Replies

PC manufacturers don’t release Firmware/Bios updates to older than 3 years PCs.
My 2018 Lenovo y530 Intel Core i7 8750H Coffee Lake
got its last Bios update on 02.2021.

Reply | Quote

PC Manufacturers may do a little bit better with business-class computers, being pushed by large enterprise and government organizations with thousands of computers.

Reply | Quote

The easiest was to find out your BIOS manufacturer and information is through any of the free processer utilities such as CPU-Z. It will give you all the information you need.

Reply | Quote

I ran CPU-Z on several systems here and it obscured the original BIOS manufacturer, instead showing “Lenovo” and “Dell”, so it is not foolproof.  I ran other utilities that purport to identify the BIOS manufacturer, but they all have access to the same information.

Reply | Quote

Alex5723 wrote:

PC manufacturers don’t release Firmware/Bios updates to older than 3 years PCs.
My 2018 Lenovo y530 Intel Core i7 8750H Coffee Lake
got its last Bios update on 02.2021.

Much depends on the manufacturer, the motherboard and the processor. ASUS continues to issue BIOS revisions for some of their motherboards after five years. My most recent update, for a five year old motherboard was released in June, 2024 along with the latest Intel ME Update. My latest ASUS laptop BIOS was dated 2021.

Reply | Quote

The easiest way to find what BIOS provider the motherboard manufacturer used.

WinKey+R, enter msinfo32.exe, press Enter.

Works in Windows 7, 10 & 11 without needing to boot into BIOS/UEFI mode or using a 3rd part app!

6 users thanked author for this post.

kandb, ibe98765, Glucose, lorenzok1, GeeBeeDee, NaNoNyMouse

Reply | Quote

Agreed.  Same issue as with 3rd party utilities.  Dell and Lenovo systems tested here identify the BIOS manufacturer as “Dell” and “Lenovo”, respectively.

1 user thanked author for this post.

Norio

Reply | Quote

n0ads wrote:

The easiest way to find what BIOS provider the motherboard manufacturer used.

WinKey+R, enter msinfo32.exe, press Enter.

Works in Windows 7, 10 & 11 without needing to boot into BIOS/UEFI mode or using a 3rd part app!

Include also Win8.1.

Reply | Quote

Does this vulnerability exist for both motherboards that use an actual TPM 2.0 chip as well as those that can emulate TPM 2.0 thru the Intel CPU?

Reply | Quote

“Somewhere along the way, Intel’s generational naming went off the Bridges and into the Lakes.”

Well done.

4 users thanked author for this post.

Cybertooth, Ben Myers, rbailin, Tem

Reply | Quote

If anyone here determines a means to display the TPM controller firmware maker (Phoenix Technologies?) and firmware version embedded in hp’s BIOS, please advise.

Processor here is Whiskey Lake (derivative of Coffee Lake, and Windows 11 suitable), TPM is 2.0, most recent BIOS is hp-branded and dated 4/12/2024.

hp does not mention CVE-2024-0762 anywhere on its web site or in BIOS release notes.

Reply | Quote

HP is part of the deafening silence about this vulnerability, leaving Lenovo and Phoenix to deal with it and with the fallout.

1 user thanked author for this post.

ibe98765

Reply | Quote

I am fairly certain HP uses AMI, not Phoenix for their bios.

Reply | Quote

And this just in, seen while repairing a client’s gaming rig.  A vulnerability in UEFI firmware for an AMD Ryzen system.  Need to update firmware before putting system back in gamer’s hands. 

Reply | Quote

Before anyone gets overly concerned about just who made their BIOS/UEFI installed in their system(s), allow me to quote a bit of something that’s in the middle of Ben’s excellent article:

…I should note at this point that a computer compromised by this vulnerability can be infected only via hands-on access. Make sure all your computers are physically secure from intrusion by others. In a business setting, secure all computers after work hours. Apply a small dose of paranoia to your thinking about letting anyone other than trusted members of your circle touch your computer. …

I added the bolding above in the quote.

So, to make you a victim of this vulnerability, the attacker needs actual physical access to your computer(s). Do you need to patch this vulnerability? CERTAINLY! Do you need to patch it this very second?? Probably NOT.

In response to Tem’s query above about who the manufacturer of the BIOS/UEFI is for HP systems, I did some searching on Google, and came up with just a bunch of hits regarding how to update the HP BIOS/UEFI and no real info about the actual manufacturer. Some hits actually showed images from utilities folks had used to find the manufacturer’s name, and they all showed HP listed as the manufacturer.

In light of what Ben posted above regarding his experience with Dell and Lenovo systems, I have a feeling that the actual manufacturer’s name for all three of those brands is a VERY closely guarded secret. Those companies might even write/manufacture their OWN code instead of going to an outside source.

2 users thanked author for this post.

Norio, Tem

Reply | Quote

FWIW, hp’s BIOS release notes will list several included components (Intel vBIOS, Intel/Realtek PXE ROM, etc.) and their firmware versions, but there’s no mention of Phoenix SecureCore.  It may be that hp wrote their own TPM UEFI handler, and the Phoenix CVE does not apply.

Reply | Quote

Alex5723 wrote:

PC manufacturers don’t release Firmware/Bios updates to older than 3 years PCs.

My desktop is a custom build from the Asus MB up in 2018 and my last BIO update was Sept 2023.  So FWIW I got 5 years out of it.  I suspect that’s the last BIOS update that will be offered for my MB.  My CPU is Intel Skylake and not on the list.  It was the one just ahead of Kaby Lake.

Desktop Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

1 user thanked author for this post.

Alex5723

Reply | Quote

Guess the most important thing to take note is that attackers need physical access to a vulnerable PC in order to exploit this vulnerability, which is probably what a lot of home/consumer users need to know to stop worrying.

Other than that, looks like I dodged the bullet this time: my latest Intel 13th gen custom build uses an Asus board with an AMI bios and the older Intel 6th gen build is installed on a board also equipped with an AMI bios.

BTW, I’m not entirely sure from reading the article whether Intel 6th gen (Skylake) CPUs are affected at all. In one passage, it is mentioned that the vulnerability applies to the last ten generations of Intel CPUs, implying Skylake would be “safe”: is this correct and does it mean that a system running a Skylake CPU off a board equipped with a Phoenix UEFI bios is not vulnerable?

Reply | Quote

Given that the vulnerability was found originally in a Lenovo laptop with 4th gen Haswell-Ivy Bridge CPU, I am pretty confident that the vulnerability exists in all Intel CPUs starting with 4th gen, maybe even going back to 3rd gen and going forward.

Reply | Quote

Am I correct that this bug doesn’t apply to pre-TPM CPUs?

Reply | Quote

If your computer motherboard lacks a TPM chip (and hence, lacks TPM-based drive encryption), then the issue is moot, whatever Intel CPU and UEFI firmware is in your computer.

If I understand the issue correctly, there’s a flaw in the Phoenix SecureCore TPM handler that is a component of *some* UEFI firmware, and Lenovo has been up front about the presence of this flaw in some of their computer models.  Other computer manufacturers have been silent on this issue.

Reply | Quote

So are we watching for a BIOS update or Firmware update to fix this? Thanks.

Reply | Quote

The computer industry now calls it UEFI firmware.  No longer do we have fun on the BIOS, unless dealing with a pre-UEFI system.

Reply | Quote

My EUFI just displays American Megatrends, Inc. when I boot to the settings. Otherwise I get this info using Belarc Advisor:

Main Circuit Board b
Board: ASUSTeK COMPUTER INC. PRIME Z590-A Rev 1.xx
Serial Number: 210281120100524
Bus Clock: 100 megahertz
UEFI: American Megatrends Inc. 2001 09/21/2023

I guess that meets the “don’t have to worry” category since it is an AMI product, or do I have to be concerned since Ben says “If your computer has AMI APTIO, AMIBIOS, or InsydeH2O® firmware, you are also in the clear.” per the article and it’s not displaying AMI APTIO or AMIBIOS? Not quite clear as to what Ben intended to say.

Reply | Quote

What we all know so far is that the vulnerability exists only in Phoenix UEFI firmware.

American Megatrends Inc. is synonymous with AMI APTIO and AMIBIOS, so yes, you are in the clear, it would seem.

 

1 user thanked author for this post.

Bob McLeran

Reply | Quote

I’ve posted several times that I guaranteed TPM would be broken before the mandatory end of support of Windows 10.
My 4gig Gen 6 i7 does everything I need it to do, I wonder what it’s going to take for MS to give up on it’s demand that we all buy new PCs?

Reply | Quote

As harsh as Microsoft’s CPU requirement is, I doubt that they will relent after nearly three years of stonewalling and keeping information from the public.  Windows 11 has a three-fold goal:

1. Sell new hardware.  The manufacturers cheered.
2. Make Windows more secure.  Jury still out.
3. Promote gaming computers as a third market segment in addition to enterprise/corporate computers and plain consumer systems. Note all the junk games installed with Windows 11.

There are other systems, like mine, that would run Windows 11 flawlessly and quickly, even with whatever slowdown Microsoft claims would happen.  It’s hard to slow down a 10-core Xeon with 64GB of memory. And if I wanted, I could upgrade to a 16-core Xeon.  Go ahead, Microsoft.  Tell me how unbearable the slowdown would be when I use this system with Windows 11.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Hi Ben,

I am a new subscriber to Ask Woody newsletter.

I was one of the paid readers of Mr. Livingston’s excellent newsletter Muscular Portfolios. When his newsletter ceased publication he made the most generous and ethical offer to enroll paid readers like myself to Ask Woody newsletter Plus as a compensation.

I am very glad to be a subscriber to Ask Woody newsletter Plus. I have had the opportunity to read some of the latest issues of the newsletter. I am very impressed with the depth and breadth of your coverage of PC related issues. As a matter of fact, I just paid for one year extension of my subscription. I wish there was an option to pay subscription for three years, like many print and digital publications do! Thanks to one of the old postings by one of your members in your forums that I came across in a google search result, I was able to repurpose and reuse the Dell Inspiron 11-3162 by following the member’s suggestion.

No doubt in my mind that I am going to need your expertise and help in navigating the next few years, particularly with the hurried, chaotic and often reckless introduction of AI based technologies at breakneck speed. (I just finished reading the penetrating analysis by Mr. Livingston of the havoc unleashed by social media platforms that has been published in the current issue of Ask Woody newsletter).

In your thoughtful analysis of  CVE-2024-0762 you highlight the fact that: a) to date, there has been no known reports of in-the-wild exploits of CVE-2024-0762 b) an attacker exploiting this vulnerability had to have physical access to the computer. While it is certainly reassuring to know this point, what comes to my mind is the potential  for exploitation of this vulnerability by remote access. On a similar issue (KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932) Microsoft said: ” For the BlackLotus UEFI bootkit exploit described in this article to be possible, an attacker must gain administrative privileges on a device or gain physical access to the device. This can be done by accessing the device physically or remotely, such as by using a hypervisor to access VMs/cloud.”

Thanks to your hard work and equally invaluable contributions from Brian and Susan I can sleep well at night and navigate the technological future with confidence and serenity.

Reply | Quote

And thank you!  I think we all like what we do, the combination of hands on and writing.

 

Reply | Quote

I reached out to Phoenix PR about 10 days ago, and got a response from its anonymous security team.  Ever after I asked a couple of follow-up questions, it is kind to say that Phoenix is offering no additional information, due to claims of confidentiality with their customers.  Too bad, because this leaves Phoenix and Lenovo hanging out there all alone, as the other customers of Phoenix continue to say nothing.

Phoenix claimed its UEFI firmware remediation had already been made available to their customers at the time when it first posted its undated web page.  So my table, Figure 1 in the article, is about as accurate as it will ever be. Phoenix would not state how far back in the Intel i-series generations its remediation would be applicable.

No comment, either, by Phoenix about the article itself.

Reply | Quote