CVE-2024-29040

EUVD-2024-26089

28.06.2024, 21:15

This repository hosts source code implementing the Trusted Computing Group's (TCG) TPM2 Software Stack (TSS). The JSON Quote Info returned by Fapi_Quote has to be deserialized by Fapi_VerifyQuote to the TPM Structure `TPMS_ATTEST`. For the field `TPM2_GENERATED magic` of this structure any number can be used in the JSON structure. The verifier can receive a state which does not represent the actual, possibly malicious state of the device under test. The malicious device might get access to data it shouldn't, or can use services it shouldn't be able to. This 
issue has been patched in version 4.1.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
tpm2_software_stack_project	tpm2_software_stack	𝑥 < 4.1.0	ADP

Debian Releases

Debian Product

Codename

tpm2-tss

bookworm	no-dsa
bullseye	no-dsa
buster	postponed
forky	4.1.3-1.2 fixed
sid	4.1.3-1.2 fixed
trixie	4.1.3-1.2 fixed

Ubuntu Releases

Ubuntu Product

Codename

tpm2-tss

bionic	not-affected
focal	not-affected
jammy	Fixed 3.2.0-1ubuntu1.1 released
mantic	Fixed 4.0.1-3ubuntu1.1 released
noble	Fixed 4.0.1-7.1ubuntu5.1 released
oracular	Fixed 4.1.0-1ubuntu1 released
plucky	Fixed 4.1.0-1ubuntu1 released
questing	Fixed 4.1.0-1ubuntu1 released
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

libtss2-esys0

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

libtss2-fapi1

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

libtss2-mu0

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

libtss2-rc0

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

libtss2-sys1

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

libtss2-tcti-cmd0

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

libtss2-tcti-device0

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

libtss2-tcti-mssim0

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

libtss2-tcti-pcap0

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

libtss2-tcti-swtpm0

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

libtss2-tctildr0

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

tpm2-0-tss

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

tpm2-0-tss-devel

suse enterprise desktop 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise desktop 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise desktop 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise sap 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise sap 15 SP7	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP4	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP5	3.1.0-150400.3.6.1 fixed
suse enterprise server 15 SP6	3.1.1-150600.2.1 fixed
suse enterprise server 15 SP7	3.1.1-150600.2.1 fixed

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0

https://github.com/tpm2-software/tpm2-tss/security/advisories/GHSA-837m-jw3m-h9p6

https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0

https://github.com/tpm2-software/tpm2-tss/security/advisories/GHSA-837m-jw3m-h9p6

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFR7SVEWCOXORHPCLLGXEMHFMIGG2MFE/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GI4JFEZBKQQUPJ4RWK6IHEWXAFCEJDPI/