More Intel Exploits, not CPU this time. TPM-FAIL

[BabaGanuche]

Source - ZDNet

 

Quote

In a research paper published today, a team of academics from the Worcester Polytechnic Institute (USA), the University of Lübeck (Germany), and the University of California, San Diego (USA) has disclosed two vulnerabilities that impact two very widely used TPM solutions.

 

The first vulnerability is CVE-2019-11090 and impacts Intel's Platform Trust Technology (PTT).

Intel PTT is Intel's fTPM software-based TPM solution and is widely used on servers, desktops, and laptops, being supported on all Intel CPUs released since 2013, starting with the Haswell generation.

 

 

Quote

The actual attacks on these two TPM technologies is what security researcher call a "timing leakage."

An external observer can record the time differences when the TPM is performing repetative operations and infer the data being processed inside the secure chip -- all based on the amount of time the TPM takes to do the same thing over and over again.

The research team says the "timing leakage" they discovered can be used to extract 256-bit private keys that are being stored inside the TPM. More specifically, 256-bit private keys used by certain digital signature schemes based on elliptic curves algorithms such as ECDSA and ECSchnorr.

While this sounds like a very narrow attack surface, these two are common digital signature schemes used in many of today's cryptographically-secured operations, such as establishing TLS connections, signing digital certificates, and authorizing logins.

But the novelty and danger factor surrounding TPM-FAIL relies in the fact that this attack is also fully weaponizable in a real-world scenario.

 

Quote

We even show that these attacks can be performed remotely on fast networks, by recovering the authentication key of a virtual private network (VPN) server in 5 hours."

Performing a five-hour-long attack on a remote VPN server isn't as hard as it sounds. Per the research team, the attack involves initiating around 45,000 authentication handshakes against a remote VPN server and recording the responses

 

It appears the Intel cannot catch a break. This is just another example of the security issues that appear to be across Intel products

[Sakkura]

TPM has had lots of vulnerabilities published. It's ridiculous given it's supposed to add security.

 

AMD's version has had vulnerabilities too (IIRC "Ryzenfall" was mostly about this kind of thing), just fewer in number. If I was a CTO of some corporation I wouldn't trust these security solutions at all, ever.

[mr moose]

30 minutes ago, Sakkura said:

TPM has had lots of vulnerabilities published. It's ridiculous given it's supposed to add security.

 

AMD's version has had vulnerabilities too (IIRC "Ryzenfall" was mostly about this kind of thing), just fewer in number. If I was a CTO of some corporation I wouldn't trust these security solutions at all, ever.

Meanwhile apples is so secure it locks out the owner if they don't understand it's exact function and take precautions.

[Mira Yurizaki]

56 minutes ago, Sakkura said:

TPM has had lots of vulnerabilities published. It's ridiculous given it's supposed to add security.

Having vulnerabilities published doesn't really mean anything if they were addressed and, hopefully, fixed later

 

The Linux kernel has a laundry list of vulnerabilities on the CVE list and it's a longer list than Windows 10. That doesn't mean Linux shouldn't be used.

 

EDIT: I should point out yes having the CVE addressed won't help affected parts, and there's nothing you can really do about that, but in the overall grand scheme of things, it doesn't really mean anything. It just means if you're building a system now and were considering said components, which version to go with.

Edited November 13, 2019 by Mira Yurizaki

[Flying Sausages]

These security researchers are about to hit AMD after Intel.

[Trik'Stari]

1 hour ago, mr moose said:

Meanwhile apples is so secure it locks out the owner if they don't understand it's exact function and take precautions.

Or it locks them out for replacing a battery, home button, screen, etc.

 

Or they set the date wrong.

[colonel_mortis]

2 hours ago, Sakkura said:

TPM has had lots of vulnerabilities published. It's ridiculous given it's supposed to add security.

I'm not up to date on the full list of TPM vulnerabilities, but in this particular instance the paper (which I have only had chance to skim a few sections of) seems to suggest that this issue exists with some software implementations too, although some had already patched against this form of attack. If it is as exploitable as described in the paper, it is fairly severe (under the right circumstances), but it has also been fixed just like the software implementations.

 

For certain threat models, a TPM does provide a security benefit because the keys are no longer present in memory, but that should not be taken to mean that TPMs are absolutely secure - such a thing is not possible. TPMs are also not a benefit for all applications - if your threat model doesn't include protecting against an attacker being able to read the memory of the system, software based encryption is sufficient.

[vanished]

This is the third thread on Intel vulnerabilities in a very short time, again is this actually new or a repost?

[Fnige]

3 minutes ago, Ryan_Vickers said:

This is the third thread on Intel vulnerabilities in a very short time, again is this actually new or a repost?

yes

[mr moose]

1 hour ago, Ryan_Vickers said:

This is the third thread on Intel vulnerabilities in a very short time, again is this actually new or a repost?

Unless I have missed something, of the three threads two were on the same vulnerabilities (one got moved to general, the other is in the news section) and then this thread on the TPM vulnerability.

 

I don't know if the TPM referenced in the OP is also listed as one of the 77 in the other thread because the OP's link doesn;t take us to the article but instead takes us back to this thread. @BabaGanuche

 

 

 

[Billy Pilgrim]

Someone better tell Intel that using new security flaws to draw attention away from older ones is not a valid long term strategy.

[Sakkura]

17 hours ago, Ryan_Vickers said:

This is the third thread on Intel vulnerabilities in a very short time, again is this actually new or a repost?

TFW Intel is having so many vulnerabilities moderators start to wonder if it's spam.

[Pickles von Brine]

Oof. ZombieLoad v2 and now this eh? Ouch. 

[Pickles von Brine]

22 hours ago, BabaGanuche said:

Source - ZDNet

 

 

 

 

 

It appears the Intel cannot catch a break. This is just another example of the security issues that appear to be across Intel products

Jesus that is bad. 

[Kisai]

19 hours ago, colonel_mortis said:

For certain threat models, a TPM does provide a security benefit because the keys are no longer present in memory, but that should not be taken to mean that TPMs are absolutely secure - such a thing is not possible. TPMs are also not a benefit for all applications - if your threat model doesn't include protecting against an attacker being able to read the memory of the system, software based encryption is sufficient.

Bingo.

 

Is the TPM sufficient for turning on full-drive encryption? Yes. Will that save you from someone determined to get into your data? The only "safe" solution is not being connected to the network and the physical wireless (wifi/bluetooth) adapter being removed from the system. That pushes the encryption need to physical optical media or flash drives, which those are all universally rubbish "hardware" protections.

 

What about TPM's used for MS Office? Hardly beneficial to MS Office.

https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm

 

At best, you could say credential guard is probably the closest to anything you might actually use a TPM for (eg accessing your email in outlook.)

 

I mean most of the hate on TPM is towards it's potential use by Microsoft, Adobe, Autodesk, and various SaaS/Cloud providers renting you the software, and making the TPM enforce the license. Which is a real threat, but it's also one that is easily steered around by using alternative software if that is really their concern.