{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/282450#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nAn out-of-bounds (OOB) read vulnerability has been identified in the Trusted Platform Module (TPM) 2.0 reference library specification, currently at Level 00, Revision 01.83 (March 2024). An attacker with access to a TPM command interface can exploit this vulnerability by sending specially crafted commands, potentially leading to unauthorized access to sensitive data or denial of service of the TPM.\r\n\r\n### Description\r\n\r\nTrusted Platform Module (TPM) technology is a hardware-based solution that provides secure cryptographic functions to operating systems on modern computing platforms. Designed to resist tampering, TPM can be implemented as a discrete chip, integrated component, or firmware-based module. Software-based implementations are also available to support the cryptographic needs of cloud and virtualized environments.  The [Trusted Computing Group (TCG)](https://trustedcomputinggroup.org) maintains the TPM specifications and provides a [reference implementation](https://trustedcomputinggroup.org/resource/tpm-library-specification/) to assist vendor adoption.\r\n\r\nA Security researcher have discovered an OOB read vulnerability in the `CryptHmacSign` function of the reference implementation. The issue arises because the reference code did not implement appropriate consistency checks in `CryptHmacSign` function resulting in potential out-of-bound read. An attacker with access to the TPM interface can exploit this mismatch by submitting a maliciously crafted packet, resulting in an out-of-bounds read from TPM memory, which may expose sensitive data.\r\n\r\n### Impact\r\n\r\nAn authenticated local attacker can send malicious commands to a vulnerable TPM interface, resulting in information disclosure or denial of service of the TPM. The impact assessment depends on the vendor specific implementation. \r\n\r\n### Solution\r\n\r\nThe TCG has released an [errata update](https://trustedcomputinggroup.org/wp-content/uploads/TPM2.0-Library-Spec-v1.83-Errata_v1_pub.pdf) to the TPM 2.0 Library Specification and updated the reference implementations to address this vulnerability. Users are strongly encouraged to apply TPM-related firmware updates provided by their hardware or system vendors. Please refer to the Vendor Information section for any specific guidance from affected vendors.  TPM2.0 vendors are urged to use the latest specifications and the reference implementation to ensure these vulnerabilities are resolved in their implementations. TCG has published [VRT009](https://trustedcomputinggroup.org/wp-content/uploads/VRT0009-Advisory-FINAL.pdf) advisory and uses VRT0009 to track this advisory. \r\n\r\n#### libtpms open source \r\nSee also related [CVE-2025-49133](https://www.cve.org/CVERecord?id=CVE-2025-49133) and the patch commit [04b2d8e](https://github.com/stefanberger/libtpms/commit/04b2d8e9afc0a9b6bffe562a23e58c0de11532d1) for the opensource [libtpms 0.10.1](https://github.com/stefanberger/libtpms/releases/tag/v0.10.1) released.\r\n\r\n### Acknowledgements\r\n\r\nThanks to the reporter, who wishes to remain anonymous.  This document was written by Vijay Sarvepalli.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The vulnerability “VRT0009” in the Trusted Computing Group (TCG) TPM 2.0 reference code may also affect Infineon´s OPTIGATM TPM SLB 9672 / 9673 before FW version xx.24, SLB 9670 TPM2.0 before FW 7.86, SLM/SLI 9670 before FW13.16 and SLB 9665 before FW 5.66. \r\nFW-updates are available for all of the above listed products. Please visit the respective product pages on https://www.infineon.com/tpm","title":"Vendor statment from Infineon Technologies AG"},{"category":"other","text":"Insyde UEFI BIOS is not affected.  \r\n\r\nStatus is unknown for versions of UEFI BIOS for those chipsets with a firmware TPM, since the related code is provided by the silicon vendors.","title":"Vendor statment from Insyde Software Corporation"},{"category":"other","text":"The firmware code developed and supplied by Phoenix is not effected by this vulnerability.\r\n\r\nIf a TPM used by one of our end user OEMs in their platform requires an update to its embeddd code, we may be asked to include that update in a package of code images supplied with our product.\r\n\r\nI know the the VINCE coordinators consider this as \"potentially affected\", but we do not.","title":"Vendor statment from Phoenix Technologies"},{"category":"other","text":"Please refer to ST PSIRT webpage : https://www.st.com/content/st_com/en/about/security-and-privacy/psirt.html","title":"Vendor statment from STMicroelectronics"},{"category":"other","text":"Various Linux distributions that use KVM with swtpm as a vTPM are affected. Other products that may only libtpms are also affected.","title":"Vendor statment from libtpms IBM sponsored"},{"category":"other","text":"eCosPro RTOS does not use the CryptHmacSign helper function.","title":"Vendor statment from eCosCentric"},{"category":"other","text":"Absolute does not use the CryptHmacSign helper function in its implementation, so this does not impact us.","title":"Vendor statment from Absolute Software"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/282450"},{"url":"https://trustedcomputinggroup.org/wp-content/uploads/VRT0009-Advisory-FINAL.pdf","summary":"https://trustedcomputinggroup.org/wp-content/uploads/VRT0009-Advisory-FINAL.pdf"},{"url":"https://trustedcomputinggroup.org/wp-content/uploads/TPM2.0-Library-Spec-v1.83-Errata_v1_pub.pdf","summary":"https://trustedcomputinggroup.org/wp-content/uploads/TPM2.0-Library-Spec-v1.83-Errata_v1_pub.pdf"},{"url":"https://trustedcomputinggroup.org/about/security/","summary":"https://trustedcomputinggroup.org/about/security/"},{"url":"https://github.com/stefanberger/libtpms/commit/04b2d8e9afc0a9b6bffe562a23e58c0de11532d1","summary":"https://github.com/stefanberger/libtpms/commit/04b2d8e9afc0a9b6bffe562a23e58c0de11532d1"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-49133","summary":"https://www.cve.org/CVERecord?id=CVE-2025-49133"},{"url":"https://www.amd.com/en/resources/product-security/bulletin/amd-sb-4011.html","summary":"Reference(s) from vendor \"AMD\""},{"url":"https://www.st.com/resource/en/security_bulletin/sb0042-inapplicability-of-tcgvrt0009-to-stsafetpm-products-stmicroelectronics.pdf","summary":"Reference(s) from vendor \"STMicroelectronics\""}],"title":"Out-of-Bounds read vulnerability in TCG TPM2.0 reference implementation","tracking":{"current_release_date":"2025-10-30T16:06:08+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#282450","initial_release_date":"2025-06-10 17:19:27.099894+00:00","revision_history":[{"date":"2025-10-30T16:06:08+00:00","number":"1.20251030160608.16","summary":"Released on 2025-10-30T16:06:08+00:00"}],"status":"final","version":"1.20251030160608.16"}},"vulnerabilities":[{"title":"Liptpm's (versions before 0.","notes":[{"category":"summary","text":"Liptpm's (versions before 0.10.1)  CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm."}],"cve":"CVE-2025-49133","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#282450"}],"references":[{"url":"https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/page-2#post-779794","summary":"Subject: PSA-2025-00010-1: libtpms0/swtpm out of bounds read vulnerability​\r\n\r\nAdvisory date: 2025-06-23\r\n\r\nPackages: libtpms0\r\n\r\nDetails: libtpms, a library for integrating TPM functionality into QEMU was affected by an out of bounds read vulnerability that could be used to trigger an abort of swtpm, rendering the virtual TPM assigned to a QEMU VM inoperable.\r\n\r\nFixed: libtpm0 >= 0.9.7+pve1\r\n\r\nReferences: CVE-2025-49133 CVE-2025-2884","category":"external"}],"product_status":{"known_affected":["CSAFPID-832bec56-350e-11f1-8422-122e2785dc9f","CSAFPID-832d3fac-350e-11f1-8422-122e2785dc9f","CSAFPID-832dd8f4-350e-11f1-8422-122e2785dc9f","CSAFPID-832ea3f6-350e-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-832aef9a-350e-11f1-8422-122e2785dc9f","CSAFPID-832c5290-350e-11f1-8422-122e2785dc9f","CSAFPID-832c9408-350e-11f1-8422-122e2785dc9f","CSAFPID-832cecb4-350e-11f1-8422-122e2785dc9f","CSAFPID-832d7d8c-350e-11f1-8422-122e2785dc9f","CSAFPID-832e0e32-350e-11f1-8422-122e2785dc9f","CSAFPID-832e651c-350e-11f1-8422-122e2785dc9f"]}},{"title":"TCG TPM2.","notes":[{"category":"summary","text":"TCG TPM2.0 Reference implementation's CryptHmacSign helper function is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key's algorithm. See Errata 1.83 of TCG standard TPM2.0"}],"cve":"CVE-2025-2884","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#282450"}],"product_status":{"known_affected":["CSAFPID-832f2a7e-350e-11f1-8422-122e2785dc9f","CSAFPID-83324b32-350e-11f1-8422-122e2785dc9f","CSAFPID-8332e470-350e-11f1-8422-122e2785dc9f","CSAFPID-83333344-350e-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-832f87b2-350e-11f1-8422-122e2785dc9f","CSAFPID-832fd2d0-350e-11f1-8422-122e2785dc9f","CSAFPID-833018e4-350e-11f1-8422-122e2785dc9f","CSAFPID-83304972-350e-11f1-8422-122e2785dc9f","CSAFPID-8330b452-350e-11f1-8422-122e2785dc9f","CSAFPID-8330f944-350e-11f1-8422-122e2785dc9f","CSAFPID-8331812a-350e-11f1-8422-122e2785dc9f","CSAFPID-8331c75c-350e-11f1-8422-122e2785dc9f","CSAFPID-83320fe6-350e-11f1-8422-122e2785dc9f","CSAFPID-8332a5fa-350e-11f1-8422-122e2785dc9f","CSAFPID-83337822-350e-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Infineon Technologies AG","product":{"name":"Infineon Technologies AG Products","product_id":"CSAFPID-832aef9a-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Proxmox Server Solutions","product":{"name":"Proxmox Server Solutions Products","product_id":"CSAFPID-832bec56-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NEC Corporation","product":{"name":"NEC Corporation Products","product_id":"CSAFPID-832c5290-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-832c9408-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"TrueOS","product":{"name":"TrueOS Products","product_id":"CSAFPID-832cecb4-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-832d3fac-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"eCosCentric","product":{"name":"eCosCentric Products","product_id":"CSAFPID-832d7d8c-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"libtpms IBM sponsored","product":{"name":"libtpms IBM sponsored Products","product_id":"CSAFPID-832dd8f4-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-832e0e32-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Absolute Software","product":{"name":"Absolute Software Products","product_id":"CSAFPID-832e651c-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Gentoo Linux","product":{"name":"Gentoo Linux Products","product_id":"CSAFPID-832ea3f6-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Infineon Technologies AG","product":{"name":"Infineon Technologies AG Products","product_id":"CSAFPID-832f2a7e-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Proxmox Server Solutions","product":{"name":"Proxmox Server Solutions Products","product_id":"CSAFPID-832f87b2-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NEC Corporation","product":{"name":"NEC Corporation Products","product_id":"CSAFPID-832fd2d0-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"TrueOS","product":{"name":"TrueOS Products","product_id":"CSAFPID-833018e4-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-83304972-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Gentoo Linux","product":{"name":"Gentoo Linux Products","product_id":"CSAFPID-83307f1e-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Illumos","product":{"name":"Illumos Products","product_id":"CSAFPID-8330b452-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"eCosCentric","product":{"name":"eCosCentric Products","product_id":"CSAFPID-8330f944-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"libtpms IBM sponsored","product":{"name":"libtpms IBM sponsored Products","product_id":"CSAFPID-833131ca-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Phoenix Technologies","product":{"name":"Phoenix Technologies Products","product_id":"CSAFPID-8331812a-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Microchip Technology","product":{"name":"Microchip Technology Products","product_id":"CSAFPID-8331c75c-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Insyde Software Corporation","product":{"name":"Insyde Software Corporation Products","product_id":"CSAFPID-83320fe6-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Trusted Computing Group","product":{"name":"Trusted Computing Group Products","product_id":"CSAFPID-83324b32-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Samsung Semiconductor","product":{"name":"Samsung Semiconductor Products","product_id":"CSAFPID-8332a5fa-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-8332e470-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Qualcomm","product":{"name":"Qualcomm Products","product_id":"CSAFPID-83333344-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Absolute Software","product":{"name":"Absolute Software Products","product_id":"CSAFPID-83337822-350e-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"STMicroelectronics","product":{"name":"STMicroelectronics Products","product_id":"CSAFPID-8333a446-350e-11f1-8422-122e2785dc9f"}}]}}