Page 1 of 2 12 LastLast
  1.    3 Weeks Ago #1
    Join Date : Oct 2013
    Posts : 25,184
    64-bit Windows 10 Pro build 17040

    RSA Keys Generated by Infineon TPMs are Insecure


    Lenovo Security Advisory: LEN-15552

    Potential Impact: RSA keys generated by the Infineon TPM using certain firmware levels are insecure

    Severity: Varies; None to High

    Scope of Impact: Industry-Wide

    CVE Identifier: CVE-2017-15361

    Summary Description:

    A vulnerability was identified in the RSA key generation method used by Trusted Platform Modules (TPMs) manufactured by Infineon and contained in some Lenovo products. RSA public keys generated by the Infineon TPM for use by certain software programs should be considered insecure. No TPMs from other manufacturers are affected.

    Only software that uses RSA keys generated by the TPM is affected by this vulnerability. No Lenovo-developed software uses the TPM for this purpose. Please see the Infineon advisory located here for more details.

    The Trusted Platform Module (TPM) is a microcontroller on the system board used to securely store artifacts used to authenticate the platform, such as passwords, certificates or encryption keys, or measurements to ensure your system is trustworthy.

    Mitigation Strategy for Customers (what you should do to protect yourself):

    The sequence of steps required to mitigate this issue depends on the application and/or operating of your system. Follow the mitigation instructions provided by your software supplier to avoid data loss when mitigating this issue:

    • For Microsoft users, follow the procedure located here. Be sure to install the Microsoft patch first in order to determine if your system is affected. If it is affected, then install the TPM Firmware update by following the link in the Product Impact section of this advisory. If you install the TPM firmware update first, the Microsoft tool included in the patch that detects if your system is affected will give incorrect results. For Chromebook users, see the information located here.
    • Lenovo does not have information for other software that may use the TPM (WinMagic, Linux applications, other Windows applications, etc). To determine what steps should be taken to mitigate this issue (if any) without data loss, you should contact your software supplier.
    • Some systems in the affected list have 2 TPM’s to allow the user to select between TPM 1.2 and TPM 2.0 (Only one of these TPMs can be active). In the case where the Infineon TPM is not the active TPM, the checking and update tools will indicate the system is not affected. If you change the active TPM at some future date, Lenovo recommends that you re-run the checking and update tools to ensure that the TPM firmware is updated in your new configuration.
    • Even if you are not currently using any software that uses the TPM, Lenovo recommends that you apply the update contained in the link for your product to prevent generation of weakened keys if you install software that uses the TPM in the future.

    Product Impact:
    Lenovo is urgently working on qualifying and applying the fixes provided by Infineon on supported systems. Please continue to refer to this advisory to identify fixes as they are posted for your systems.


    Read more: RSA Keys Generated by Infineon TPMs are Insecure
      My ComputersSystem Spec
  2.    3 Weeks Ago #2
    Join Date : Jul 2015
    Nine Mile Falls WA
    Posts : 496
    win 10 pro x64

    I'm waiting on a update from infineon as mine is a infineon chip but i can't find any updates for my firmware at MSI website as its msi but the chip is infineon, i sent infineon a email have yet to hear back as to how i get it updated.
      My ComputerSystem Spec
  3.    3 Weeks Ago #3
    Join Date : Jul 2015
    Posts : 74
    Win 10 Pro 64x (1709)

    Asus use the Infineon chip in their TPM's and windows is telling me that it's not secure. I won't hold out much hope of Asus up dating the bios as the number of people that are using TPM's is probably quite small - but one lives in hope.
      My ComputersSystem Spec
  4.    3 Weeks Ago #4
    Join Date : Jun 2014
    USA
    Posts : 1,571
    Windows 10 Pro x64

    Quote Originally Posted by Tonyb View Post
    I'm waiting on a update from infineon as mine is a infineon chip but i can't find any updates for my firmware at MSI website as its msi but the chip is infineon, i sent infineon a email have yet to hear back as to how i get it updated.
    This news article was generated by my post here Infineon TPM Modules generating insecure RSA Keys - Windows 10 Forums. In that post I tell you how to check which TPM module you have and where to get the fix from if you're a Lenovo notebook user.

    BTW if you are a Lenovo notebook user and opted to be notified on new updates via e-mail, you should have gotten a notice on this already. See my link for more details.

    With that for those owning laptops and have an Infineon chip check the manufacturer's site for an update & fix.
      My ComputersSystem Spec
  5.    3 Weeks Ago #5
    Join Date : Jul 2015
    Nine Mile Falls WA
    Posts : 496
    win 10 pro x64

    Quote Originally Posted by sygnus21 View Post
    If this is a laptop, check the manufacturer's site for an update. I originally posted about this here Infineon TPM Modules generating insecure RSA Keys - Windows 10 Forums - where at least Lenovo notifies it's customers and provides a fix.
    I wish its a home built system with MSI mainboard and MSI TPM chip by infineon as in the TPM.MSC it shows it as IFX and i pulled it out of the pc an its a Infineon TPM 1.2 . not sure how i can get the update for it as infineon does not provide them to end users and MSI has nothing about it on there website.
      My ComputerSystem Spec
  6.    3 Weeks Ago #6
    Join Date : Jun 2014
    USA
    Posts : 1,571
    Windows 10 Pro x64

    I edited my post while you were quoting me so they no longer align. Sorry.

    Anyway, In your case I have no answer other than to perhaps point MSI tech support to the news article here, or call MSI personally and see what they have to say. Unfortunately the information from my article and the one here is generated by Lenovo, so I can't say how other vendors may be dealing with the issue - or if they even view this as an issue.

    The other thing is how far back are we going here - are these new, old, or both chips. Are they only TPM 1.2, 2.0, or both? Again, we only see what Lenovo is doing, so....
      My ComputersSystem Spec
  7.    3 Weeks Ago #7
    Join Date : Jul 2015
    Nine Mile Falls WA
    Posts : 496
    win 10 pro x64

    https://www.infineon.com/cms/en/prod...es/tpm-update/ this may help more on the issue so we have more info on ti as well.
      My ComputerSystem Spec
  8.    3 Weeks Ago #8
    Join Date : Jun 2014
    USA
    Posts : 1,571
    Windows 10 Pro x64

    I was just about the post that link to you when I saw your post

    Anyway cleaned up this is the same link - TPMupdate - Infineon Technologies

    It looks like this issue mainly affects notebooks not desktops, but....
      My ComputersSystem Spec
  9.    3 Weeks Ago #9
    Join Date : Jul 2015
    Nine Mile Falls WA
    Posts : 496
    win 10 pro x64

    yeah seen that going to take your advice though and give MSI a phone call
      My ComputerSystem Spec
  10.    3 Weeks Ago #10
    Join Date : Jun 2014
    USA
    Posts : 1,571
    Windows 10 Pro x64

    Quote Originally Posted by Tonyb View Post
    yeah seen that going to take your advice though and give MSI a phone call
    Question - Is this a desktop or laptop?

    I'm not aware of any store bought motherboards coming with TMP chips installed. Every motherboard I bought never came with one. This includes 3 Gigabyte boards, 3 Intel boards, and a couple of Abit boards.

    All that said, if this is a custom desktop build, did your board actually come with a TPM chip or did you add it later? If you purchased it separately, you may be on your own.
      My ComputersSystem Spec

 
Page 1 of 2 12 LastLast


Similar Threads
Thread Forum
Infineon TPM Modules generating insecure RSA Keys
FYI... I get emails for updates for my Lenovo ThinkPad notebook. That said, I got one this morning alerting me that some Lenovo notebooks using Infineon TPM modules are generating insecure RSA keys - RSA Keys Generated by Infineon TPMs are...
Drivers and Hardware
Solved keep getting insecure websites message with latest Mozilla Firefox
I have just installed latest version of Mozilla Firefox to try ( i use Cyberfox as main browser ) when i search something i keep getting this message on all sites i visit ie BBC,Amazon,etc How to get Mozilla Firefox to work..? Thank you ...
Browsers and Email
Google won't open on Firefox -- insecure site
My son's laptop has Windows 10 as its OS, the latest version of Firefox, no antivirus (just Windows Defender). When he tries to open Google, a message comes up that the site is insecure, and there is no possibility to add a certificate. Does anyone...
Browsers and Email
Automatic IPv6 6to4 and ISATAP tunnel adapter addresses generated.
Having an issue in our environment. We have not deployed IPv6 however all windows machines automatically generate an IPv6 6to4 and ISATAP tunnel adapter addresses.These addresses are sometimes registered in DNS and when doing name resolutions for...
Network and Sharing
Mail APP insecure according to Yahoo
I was setting up my Yahoo account in the Windows Mail App. I received this from Yahoo:
Browsers and Email
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 00:10.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums