TPM 2.0, required by Windows 11, is hackable. Upgrade now?

Topic

New Reply

PUBLIC DEFENDER By Brian Livingston Researchers have discovered flaws in TPM 2.0, a security microcontroller that Microsoft requires on a device (with
[See the full post at: TPM 2.0, required by Windows 11, is hackable. Upgrade now?]

6 users thanked author for this post.

lmacri, rc primak, Norio, DLivesInTexas, rbailin, Alex5723

Reply | Quote

Replies

Lenovo laptop with Intel TMP 2.0 sub version 1.38
4.5 years old laptop not supported by Lenovo anymore.

Reply | Quote

Following this article, I checked my PC Windows 10 and found that it runs TPM 1.38.
Does it present a security risk?

Reply | Quote

Possibly.

Check the vendor list at the article’s Vulnerabilty Note links.

Reply | Quote

Here’s a little PowerShell script to check your TPM. Run As Administrator!

$GCIArgs = @{NameSpace = "root\cimv2\security\microsofttpm" 
             Class     = "Win32_tpm"
            }

Get-CIMInstance @GCIArgs | 
   Select SpecVersion, IsEnabled_InitialValue, 
          IsActivated_InitialValue, ManufacturerVersionInfo |
   FL

Output:

SpecVersion              : 2.0, 0, 1.16
IsEnabled_InitialValue   : True
IsActivated_InitialValue : True
ManufacturerVersionInfo  : Intel           

HTH

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

3 users thanked author for this post.

windbg, Just another Forum Poster, G

Reply | Quote

As usual, security vulnerabilities are surrounded by clouds of uncertainty and confusion.  Dell, the manufacturer of my system has not responded as of 2/28/2023.

My system’s TPM 2.0 chip is manufactured by Intel whose response asserts that its products are not impacted.  But don’t rest easy yet.  The chip’s specification subversion contradicts Intel’s assertion.

Hmmm.  What to do?  Well, since the vulnerability according to CERT requires a “local, authenticated attacker’ my position at this point in time is to do nothing.

Is this business annoying?  Yes, of course.  Am I going to lose any sleep over it?  Nope, not a minute.

4 users thanked author for this post.

IT Manager Geek, windbg, Cybertooth, NaNoNyMouse

Reply | Quote

@EricB My Dell has an Intel chip and version 1.38!

I don’t know if this means it is or isn’t susceptible to the problem

Dell Inspiron 16 Plus 7640 Core Ultra 7 155H 32GB Win 11 Pro 23H2 (22631.5189)
Dell Inspiron 15 7580 i7 16GB Win 11 pro 24H2 (26100.3775),
Microsoft 365 Version 2502 (18526.20168)
Location: UK

Reply | Quote

John,

According to the list linked in the referenced post Intel platforms are NOT affected. HTH

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

2 users thanked author for this post.

Alex5723, geekdom

Reply | Quote

@RetiredGeek, I’m still concerned about the contradiction.

Intel say no, 1.38 say yes. ??

Dell Inspiron 16 Plus 7640 Core Ultra 7 155H 32GB Win 11 Pro 23H2 (22631.5189)
Dell Inspiron 15 7580 i7 16GB Win 11 pro 24H2 (26100.3775),
Microsoft 365 Version 2502 (18526.20168)
Location: UK

Reply | Quote

According to the post, “The Trusted Computing Group, which maintains the specifications for TPM, released a two-page alert (PDF) saying the newly discovered flaws affect only Revisions 1.16, 1.38, and 1.59 of TPM 2.0.”

So if your subversion is one of the above your system may be impacted.  This guidance seems to contradict Intel’s assertion, and Dell’s silence doesn’t help.

IMHO, there’s good sense in the old maxim, “When in doubt, do nothing.”

3 users thanked author for this post.

geekdom, NaNoNyMouse, Just another Forum Poster

Reply | Quote

My Dell is a little over a year old and my TPM chip has version 1.38 but is made by AMD. I couldn’t find AMD on the list at all although I assume it must be there. I checked for updates and found I had a critical BIOS update and took it. However, couldn’t find any details about what it fixed.

Chatted with a Dell CSR who was no help. He directed me to a link which consists of over 1130 pages of Dell Security Advisories. The one for the update I took was DSA-2023-048 and that is the one advisory I couldn’t find on the list. I could find the numbers on either side of that but not that.

I used to love tech but now find it to be a pain in the ass. Still love using it when it works.

Reply | Quote

WSjcgc50 wrote:

I couldn’t find AMD on the list at all

It’s there, just not where you’d expect since the “default” sorting of the list is not alphabetical.

It’s current status is unknown.

Reply | Quote

My Asus Maximus XI Gene motherboard also has an Intel TPM and it’s also version 1.38.

And, as was pointed out by @EricB, the Trusted Computing Group’s document (note: it’s a PDF) indicates 1.38 is one of the main vulnerable versions!

Makes me wonder if Intel’s announcement only applies to their “currently supported” products and they didn’t even bother to test any of their “older” products for the vulnerability.

As has already been stated, there’s a HUGE cloud of uncertainty around this announcement (especially by the various vendors!)

2 users thanked author for this post.

wavy, geekdom

Reply | Quote

Lenovo Laptop

Intel 1.16 (2016)

Same thought!

Reply | Quote

Fantastic!

I’ll put off upgrading my circa 2014 Desktop until Win 10 fails.

Current Laptop (Win 11) records (Thanks RetiredGeek) TPM as:-

SpecVersion : 2.0, 0, 1.38
IsEnabled_InitialValue : True
IsActivated_InitialValue : True
ManufacturerVersionInfo : AMD

Is this bug free?

Reply | Quote

I have an old Dell Optiplex 7040 with Windows 10 and everything up-to-date which works fine. The TPM is one that this article says is vulnerable: TPM 2.0 Rev 1.16. The links in the article and what I check online is very unclear re. whether I should attempt to update it. I’ve checked with Dell and gotten nowhere. I’d really like more detailed advice if possible. Or should I just not worry about it?

1 user thanked author for this post.

rc primak

Reply | Quote

Hi Brian,

Thanks for the heads up.

I have an AMD chip so….

That list is really long the Good, the Bad and the Ugly (ooops Unkown).

My vote is, if mine isn’t broke for sure, don’t try to fix it by turning something off.

Regards,

Frank S

Reply | Quote

brw2019 wrote:

whether I should attempt to update it

You can’t update TMP on your own.
You should wait for Windows update or vendor notification.

https://support.microsoft.com/en-us/windows/update-your-security-processor-tpm-firmware-94205cbc-a492-8d79-cc55-1ecd6b0a8022

2 users thanked author for this post.

rc primak, windbg

Reply | Quote

As I suspected. (psst– you misspelled TPM)

-- rc primak

Reply | Quote

OK, so I ID’ed my TPM chip and it’s TPM 2.0 Sub-Version 1.38 (vulnerable). It’s also an Intel NUC-11 (Panther Canyon). Intel says not vulnerable. Recently there was a BIOS update, but not for this vulnerability, AFAIK. No current BIOS update, but a Realtek Audio Driv Gen Intel processor) er update.

The BIOS Update was applied at the end of January, 2023, and was dated as from Dec. 28, 2022.

My PowerSpec 685B (12th Gen Intel processor) has the same identical TPM module, except its manufacturer version is slightly higher. (600.18.0.0, vs. the NUC-11 at 600.7.0.0).  Same TPM sub-version date, Dec. 18, 2019. I don’t know where I would get a BIOS update for this PC as its motherboard is an ASUS model, but the Micro Center does not supply driver or BIOS updates for any of its PCs.

Intel’s rapid response to this security issue is astounding (end sarcasm).

So now what do I do?

-- rc primak

1 user thanked author for this post.

geekdom

Reply | Quote

rc primak wrote:

So now what do I do?

Wait for or seek further information.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

rc primak

Reply | Quote

For my TUF GAMING X570-PLUS

I see Version 4602
20.69 MB
2023/03/14
“1. Update AGESA version to ComboV2PI 1208
2. Mitigate the AMD potential security vulnerabilities for AMD Athlon™ processors and Ryzen™ processors”

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Since you have an X570 chipset, I’m assuming you have either a 3000 or 5000 series Ryzen processor (I have both). AMD fixes vulnerabilities, but OEMs (ASUS, MSI, etc) must implement it for the mobos they produce and, as you’ve probably observed, OEMs aren’t particularly timely at doing so.

In response to CVE-2021-26346, on January 10 AMD published:

Security Advisory AMD SB-1301

In it, AMD states “The AGESA versions listed below have been released to the Original Equipment Manufacturers (OEM) to mitigate these issues.” If you look under the “Mitigation” heading, you’ll see that 3000/5000 CPUs have “N/A” under them. I haven’t a clue as to whether this means “Not Available” or “Not Applicable”.

When issues such as this arise, I’m sure OEMs prioritize enterprise, workstation and business SKUs over general consumer and gamer SKUs which are less likely to be targeted, especially when the attack vector is local (hence the lower security threat). Like you, I just updated firmware to 1.2.0.8 on an MSI ACE X570 (a premium board). The firmware is dated March 3 and came with a similar helpful readme /sarcasm:

“This BIOS fixes the following problem of the previous version: – Update to AGESA ComboAm4v2PI 1.2.0.8.”

I agree with you. OEM communication skills leave something to be desired when consumer products and security are involved. However, like EricB above, I’ll not lose any sleep over this for the same reasons, but I’d still feel better knowing that all the doors are locked.

Reply | Quote

Well, one thing this topic prompted me to do was update the BIOS on my PowerSpec B685 tower PC. It has an ASUS motherboard, so I went for the ASUS BIOS update, per instructions received from the PowerSpec Support Chat people. (They are good at providing useful support options, including taking the PC in to the Micro Center and paying them to safely perform the BIOS flash.) What I got was an ASUS branded AMI BIOS, and some extra software from Intel and ASUS. Some of which is actually useful for system monitoring and updating drivers and the BIOS. So some good has come of all this discussion, even if we still are no closer to getting BIOS updates to deal with the two security issues covered in Brian’s excellent article.

The BIOS Update is from January, 2023, so it may cover the vulnerabilities discovered by the security people mentioned in the article. Or maybe not.

The driver updates do make the system perform much closer to expectations for a 12th-Gen Intel tower PC than the off the shelf PowerSpec drivers. And MUCH better than with the generic Microsoft Windows 11 drivers!

-- rc primak

1 user thanked author for this post.

Sueska

Reply | Quote

It is annoying that all the manufacturer wants to say is: ‘Improves performance’ or ‘improves reliability’. No specifics as if its a big secret.

Just because you don't know where you are going doesn't mean any road will get you there.

1 user thanked author for this post.

rc primak

Reply | Quote

@rc-primak I also purchased the PowerSpec 685B and downloaded all of the available drivers from the ASUS site but have not installed any of as yet. Glad to hear your updates went well & you noticed improvements. Perhaps ASUS will issue a new BIOS update soon with a description indicating a TPM 2.0 security fix. Thanks again.

1 user thanked author for this post.

rc primak

Reply | Quote

One would think this is an option. Unless the issue was already known in November, 2022 and only recently got hyped by the tech press.

-- rc primak

Reply | Quote

I added a discrete TPM 2.0 module to my ASUS motherboard header when the Win 11 requirements were first released. Active and ready to go for whenever I decide to upgrade my Win 10 desktop.

But the TPM sub-version is 1.16 (9/21/2016). So possibly vulnerable.

The manufacturer is Infineon (IFX). They are on the “not affected” list.

So hmmmmm…

Windows 10 Pro 22H2

Reply | Quote

You may get a “firmware update” from the manufacturer if you look at their site. Wait about a month before checking.

-- rc primak

Reply | Quote

The cl@sher hacker group posted about hacking TPM on the dark net over 11 years ago. This is why TPM is useless. There were posts here about  TPM being used to hide viruses as well.

https://www.askwoody.com/forums/topic/what-would-you-have-done/#post-2383176

Now it is finally getting out the massive public since there are plans for a new TPM 3.0 which has already been found to have flaws as well.

TPM is just there to give hackers and governments a easier way to break in and steal info and spy on users.

Reply | Quote

c y c wrote:

There were posts here about TPM being used to hide viruses as well.

https://www.askwoody.com/forums/topic/what-would-you-have-done/#post-2383176

Twelve-year-old theory — never seen in practice.

1 user thanked author for this post.

rc primak

Reply | Quote