RSA Keys Generated by Infineon TPMs are Insecure - US

Lenovo Security Advisory: LEN-15552

Potential Impact: RSA keys generated by the Infineon TPM using certain firmware levels are insecure

Severity: Varies; None to High

**Scope of Impact:**Industry-Wide

CVE Identifier: CVE-2017-15361

Summary Description:

A vulnerability was identified in the RSA key generation method used by Trusted Platform Modules (TPMs) manufactured by Infineon and contained in some Lenovo products. RSA public keys generated by the Infineon TPM for use by certain software programs should be considered insecure. No TPMs from other manufacturers are affected.

Only software that uses RSA keys generated by the TPM is affected by this vulnerability. No Lenovo-developed software uses the TPM for this purpose. Please see the Infineon advisory located here for more details.

The Trusted Platform Module (TPM) is a microcontroller on the system board used to securely store artifacts used to authenticate the platform, such as passwords, certificates or encryption keys, or measurements to ensure your system is trustworthy.

Mitigation Strategy for Customers (what you should do to protect yourself):

The sequence of steps required to mitigate this issue depends on the application and/or operating of your system. Follow the mitigation instructions provided by your software supplier to avoid data loss when mitigating this issue:

• For Microsoft users, follow the procedure located here. Be sure to install the Microsoft patch first in order to determine if your system is affected. If it is affected, then install the TPM Firmware update by following the link in the Product Impact section of this advisory. If you install the TPM firmware update first, the Microsoft tool included in the patch that detects if your system is affected will give incorrect results. For Chromebook users, see the information located here.
• Lenovo does not have information for other software that may use the TPM (WinMagic, Linux applications, other Windows applications, etc). To determine what steps should be taken to mitigate this issue (if any) without data loss, you should contact your software supplier.
• Some systems in the affected list have 2 TPM’s to allow the user to select between TPM 1.2 and TPM 2.0 (Only one of these TPMs can be active). In the case where the Infineon TPM is not the active TPM, the checking and update tools will indicate the system is not affected. If you change the active TPM at some future date, Lenovo recommends that you re-run the checking and update tools to ensure that the TPM firmware is updated in your new configuration.
• Even if you are not currently using any software that uses the TPM, Lenovo recommends that you apply the update contained in the link for your product to prevent generation of weakened keys if you install software that uses the TPM in the future.

Product Impact:

Lenovo is urgently working on qualifying and applying the fixes provided by Infineon on supported systems. Please continue to refer to this advisory to identify fixes as they are posted for your systems.

Product Impact: