CVE-2018-6622

EUVD-2018-18369

17.08.2018, 18:29

An issue was discovered that affects all producers of BIOS firmware who make a certain realistic interpretation of an obscure portion of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2.0 specification. An abnormal case is not handled properly by this firmware while S3 sleep and can clear TPM 2.0. It allows local users to overwrite static PCRs of TPM and neutralize the security features of it, such as seal/unseal and remote attestation.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	LOCAL	LOW	LOW	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 44%

Affected Products (NVD)

Vendor	Product	Version
trustedcomputinggroup	trusted_platform_module	2.0

𝑥

= Vulnerable software versions

References

http://www.securityfocus.com/bid/105203

https://www.usenix.org/conference/usenixsecurity18/presentation/han

http://www.securityfocus.com/bid/105203

https://www.usenix.org/conference/usenixsecurity18/presentation/han