New
#1
Advisory above updated 11/13 by Microsoft.
ADV190024 | Microsoft Guidance for Vulnerability in Trusted Platform Module (TPM)
Security Advisory
Published: 11/12/2019
Executive Summary
This advisory addresses CVE-2019-16863.
A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key confidentiality protection for a specific algorithm (ECDSA). It is important to note that this is a TPM firmware vulnerability, and not a vulnerability in the Windows operating system or a specific application. Currently no Windows systems use the vulnerable algorithm. Other software or services you are running might use this algorithm. Therefore if your system is affected and requires the installation of TPM firmware updates, you might need to re-enroll in security services you are running to remediate those affected services. For more details contact the TPM manufacturer TPM update - STMicroelectronics.
Advisory Details
Important This vulnerability is present in a specific vendor’s TPM firmware that is based on Trusted Computing Guidelines (TCG) specification family 2.0, but not 1.2, and not in the TPM standard or in Microsoft Windows. Although Windows security features do not depend on the affected algorithm, third party software may rely on keys generated by the TPM and that would be affected by the vulnerability.
Even after a TPM firmware update is installed, you might need to carry out additional remediation steps to force regeneration of previously created affected TPM keys.
FAQ
1. What systems are at risk from these vulnerabilities?
- Client Operating Systems Windows client systems are at increased risk due to the prevalence of TPM on client hardware systems. There are distinct advantages to using hardware encryption modules.
- Server Operating Systems Servers with TPM modules.
2. What is a TPM?
See Trusted Platform Module Technology Overview
3. What is the associated CVE for this vulnerability?
See CVE-2019-16863
4. Have there been any active attacks detected?
No. When this security advisory was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
5. Has this vulnerability been publicly disclosed?
No. Microsoft received information about the vulnerability through coordinated vulnerability disclosure.
6. I have a Surface device. Is my device affected by this vulnerability?
No. Microsoft Surface devices do not have these chipsets installed.
Product Platform Article Download Impact Severity Supersedence None affected None None
Mitigations
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Acknowledgements
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See acknowledgements for more information.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
Version Date Description 1.0 11/12/2019 Information published. 1.1 11/13/2019 The article published at TPM update - STMicroelectronics has now been published and the link is active.
Source: https://portal.msrc.microsoft.com/en...sory/ADV190024
How to Check if Windows PC has a Trusted Platform Module (TPM) Chip