Vulnerability in TPM could allow Security Feature Bypass

Executive Summary

This advisory addresses CVE-2017-15361, also referred to as "Return of Coppersmith’s Attack" (ROCA).

A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key strength. It is important to note that this is a firmware vulnerability, and not a vulnerability in the operating system or a specific application. After you have installed software and/or firmware updates, you will need to re-enroll in any security services you are running to remediate those services. For more details contact the TPM manufacturer - https://www.infineon.com/TPM-update. For specific services and use cases that are rendered insecure, see "Step 5 - Remediate services/(Use cases)" under Recommended Actions.

Advisory Details

Important This vulnerability is present in a specific vendor’s TPM firmware that is based on Trusted Computing Guidelines (TCG) specification family 1.2 and 2.0, not in the TPM standard or in Microsoft Windows. Some Windows security features and potentially third-party software rely on keys generated by the TPM (if available on the system). Microsoft is releasing Windows security updates to help work around the vulnerability by logging events and by allowing the generation of software based keys. Even after the operating system and/or TPM firmware updates are installed, you will need to carry out additional remediation steps to force regeneration of previously created weak TPM keys, depending on the applicable services you are running and on your particular use-cases. See Step 5 - "Remediate services based on your particular use cases" underRecommended Actions.

FAQ

1. What systems are at risk from these vulnerabilities?

• Client Operating Systems Windows client systems are at increased risk due to the prevalence of TPM on client hardware systems. There are distinct advantages to using hardware encryption modules.
• Server Operating Systems Servers with TPM modules.

2. What is a TPM?

See Trusted Platform Module Technology Overview

3. What is the associated CVE for this vulnerability?

See <https://www.infineon.com/TPM-update&gt;

4. Have there been any active attacks detected?

No. When this security advisory was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

5. Has this vulnerability been publicly disclosed?

No. Microsoft received information about the vulnerability through coordinated vulnerability disclosure.

6. What is the CVSS score?

See Vulnerability Note VU#307015:CVSS Metrics

7. What if a TPM firmware update is not available from my hardware OEM?

Hardware OEMs may release a TPM firmware update independently of the Microsoft software updates. The software updates are being released as a workaround to the vulnerability. To address the underlying issue, customers need to obtain and install a TPM firmware update. It is recommended that you contact your hardware manufacturer(s) for further guidance. TPM firmware updates may be combined with OEM system firmware updates or be delivered as a standalone tool by OEMs.

In the event of a hardware OEM explicitly NOT issuing a firmware update, customers can:

• Decide that the operating system update (that generates software-based keys) is sufficient for your services and use-cases. Note Services and use-case remediation will still be necessary.
• Move critical roles and users to devices that have updated firmware
• Move critical roles and users to devices that are not impacted by this vulnerability

8. I am running Windows 7 or Windows Server 2008 R2. Why do these operating systems not appear on the Affected Products table?

Windows 7 services and use cases are limited to BitLocker. Bitlocker on Windows 7 cannot work around the hardware issue. Therefore, because the vulnerability is in the firmware, updates are only necessary for the firmware. When TPM-based protector is used to protect the operating system volume, the security of the BitLocker protection is affected only if the TPM firmware version is 1.2.

For customers with affected devices that are running Windows 7, Microsoft suggests the following actions:

• Move critical roles and users to devices that have updated firmware
• Move critical roles and users to devices that are not affected by this vulnerability

If you are using non-Microsoft apps that require a TPM, you should contact the app developer to see if the app is affected.

9. I am running Windows Server 2012, Windows Server 2012 R2, or Windows 8.1. Why are the security-only updates listed in the Affected Products table from September 2017?

The updates addressing this vulnerability are part of an industry-wide coordinated disclosure to remediate the issue. Microsoft released updates for this vulnerability in a phased approach, and some of these updates were released in September.

Important: Because the security-only updates are not cumulative, customers who install these updates must install the September 2017 security-only update to receive the changes for this vulnerability. The security-only updates released on October 10, 2017 do not contain updates for this vulnerability.

10. What do the security-only updates for Windows Server 2012, Windows Server 2012 R2, and Windows 8.1 contain?

The updates provide:

• Detection to determine if your device has a vulnerable TPM chipset.
• A Virtual Smart Card event log entry indicating that the TPM verification failed.

Note that the monthly rollups are cumulative, while Security-only updates are not. Customers who install the October monthly rollup will receive the updates for this vulnerability.

Recommended Actions

1. Apply the Windows operating system updates (see Affected Products table for specific package KB numbers) first

WARNING: DoNOT apply the TPM firmware update prior to applying the Windows operating system mitigation update. Doing so will render your system unable to determine if your system is affected. You will need this information to conduct full remedation.

• The mitigation and detection update for Windows:
  • Addresses the vulnerability by preventing the generation of weak keys by the TPM hardware. New keys are generated using a software algorithm. Microsoft recommends that customers running systems that use affected TPM chipsets install the Windows security update as an interim measure until a firmware update is available from the system manufacturer.
  • Generates event log entries when a vulnerable TPM is detected.
  • Does NOT reduce BitLocker risk.

The majority of customers have automatic updating enabled and will not need to take any action because the updates will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install applicable updates manually. For administrators and enterprise installations, or end users who want to install the updates manually, Microsoft recommends applying the update immediately using update management software, or by checking for updates using the Microsoft Update service. For more information on how to manually apply this specific update, see the Affected Products table.

2. Determine devices in your organization that are affected

Because both mobile and stationary systems may be affected, mixing reactive and proactive measures may be best to determine affected devices. Depending on your use-case scenario, Microsoft recommends that you use one of the following methods to determine affected devices.

a. Option 1 - Use event log entries.

After the applicable Windows update is applied, the system will generate Event ID 1794 in the Event Viewer after each reboot under Windows Logs - System when vulnerable firmware is identified.

Type	Value
Event Log	Windows Log/System
Event Source	TPM-WMI
Event ID	1794

NOTE: Microsoft recommends that enterprise or home office users leverage this step as a reactive method to identify affected software.

b. Option 2 - Use a script (See Additional Context) to detect if firmware on your systems contain the vulnerability.

NOTE: Microsoft recommends that enterprise users leverage this step as a proactive method to identify affected software.

c. Option 3 - Manually check the Trusted Platform Module (TPM) Management snap-in (TPM.MSC) on each Windows 10 device

On devices running Windows 10 that have the October 2017 security update installed, in a CMD prompt, type "TPM.MSC" to open the Trusted Platform Module (TPM) Management snap-in. Devices with affected TPM modules will display the following error message:

"The TPM is ready for use. The TPM firmware on this PC has a known security problem. Please contact your PC manufacturer to find out if an update is available. For more information please go to <https://go.microsoft.com/fwlink/?linkid=852572&gt;.&quot;

NOTE: Microsoft recommends that consumers and Home office users leverage this step to identify affected software.

3. If you determine that devices in your organization are affected, analyze your risk tolerance and create short and long term resolution plans

A firmware update may or may not be available at the time of advisory release. Furthermore, the affected devices may represent a only small portion of your overall resources. Even though the Windows update is not a true replacement for fixing the firmware flaw it can be used as a temporary mitigation. However, even after the operating system and TPM firmware updates are installed, you will need to assess your TPM usage scenarios and take manual actions to force new keys to be generated.

Action	Pros	Cons
Keep keys generated by an at-risk TPM	Secrets cannot be “pried” from local machine	Persists known vulnerability and creates risk, especially for high value targets and data
Transition to software generated keys	Cryptographically strong, and potential temporary solution while waiting for firmware updates	Stored in software in local machine, and not supported by pre-Windows 8.1 / Windows Server 2012 clients and servers

4. Apply applicable firmware updates

• If your hardware is a Surface device, please see the following article for additional information:

Microsoft Knowledge Base Article 4073006

• If your device is not from Microsoft, apply the firmware provided by the OEM.

• If your device OEM is not listed in the following table, please contact the OEM’s Customer Support.

OEM	Link for firmware update
TPM OEM	<https://www.infineon.com/TPM-update&gt;
Acer	<https://us.answers.acer.com/app/answers/detail/a_id/51137&gt;
Fujitsu	<http://www.fujitsu.com/global/support/products/software/security/products-f/ifsa-201701e.html&gt;
HP Customer Support	<https://support.hp.com/us-en/document/c05792935&gt;
HP Enterprise Support	<https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en_us&gt;
Lenovo	<https://support.lenovo.com/us/en/product_security/LEN-15552&gt;
Panasonic	<http://pc-dl.panasonic.co.jp/itn/info/osinfo20171026.html&gt;
Toshiba	<http://go.toshiba.com/tpmsecuritynotice&gt;

5. Remediate services based on your particular use cases

Microsoft will continue to provide additional support to help identify and remediate this issue as it becomes available. The following table contains a list of services that you may be running on your device and a link to instructions for applying remediation steps for that service.

IMPORTANT BEFORE any remedition steps can be taken, Microsoft strongly recommends that a firmware update be applied. This is not a simple one-step procedure and you should fully understand the scope of the impact to you before proceeding.

SERVICE	REMEDIATION STEPS
Active Directory Certificate Services (ADCS)	<https://support.microsoft.com/en-us/help/4047409&gt;
Active Directory Directory Services (ADDS)	<https://support.microsoft.com/en-us/help/4046462&gt;
BitLocker	<https://support.microsoft.com/en-us/help/4046783&gt;
Credential Guard/DPAPI/Windows Information Protection	<https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-considerations#clearing-tpm-considerations&gt;
Device Health Attestation Service (DHA)	This vulnerability may impact the validity of the DHA-report that is issued by Device Health Attestation Service. The DHA-report cannot be trusted when the originating device is Jailbroken and DHA-Service is configured to perform attestation in “AIKCert validation mode”. To address the issue please use DHA-Cloud or configure your organization’s On Premise DHA-Service to run in “ EKCert validation” mode, and update your TPM firmware to address the root cause of the vulnerability.
VSC - Virtual Smart Card	<https://support.microsoft.com/en-us/help/4046784&gt;
Windows Hello For Business and Azure Active Directory	<https://support.microsoft.com/en-us/help/4046168&gt;
Windows Hello (and Microsoft Accounts (MSA))	Affected Microsoft account users should apply the latest Windows update and reset their PIN. To find out if you are affected, follow the instructions in Step 2: Determine devices in your organization that are affected, under Recommended Actions.
Windows Server 2016 Domain-joined device public key authentication	Domain-joined Device Public Key Authentication

6. Clear TPM

Important: Before using one of these methods for clearing TPM, please take note of the following:

• If there is any data protected by a TPM key, clearing the TPM without a data recovery plan or suspension of the protection will cause the data to become unavailable. Microsoft recommends reviewing your current data protection scheme before clearing TPM.

• Be aware that clearing a TPM will render ALL services that use TPM keys unusable until you complete any required remeditation steps. You may need to contact any third-party service vendors for those steps.

• For systems running Windows 7, you must suspend BitLocker protection before clearing TPM from the operating system. See Suspend-BitLocker

• For systems running Windows Server 2012, Windows Server 2012 R2, or Windows 8.1, it is not necessary to suspend BitLocker before clearing TPM from the operating system. It is not recommended that you clear the TPM from a firmware menu because if you have activated Device Encryption, you will be unable to suspend it in the operating system. Additionally, you will need to retrieve your Device Encryption Recovery Key from the MSA cloud to boot after clearing the TPM.

• Devices running Windows 10 that are protected by Credential Guard will lose secrets. For more information, see Credential Guard Considerations: Clearing TPM considerations.

• To clear TPM via PowerShell, see the following:

• For Windows Server 2012, Windows 8.1, and Windows Server 2012 R2: Clear-Tpm

• For Windows 10 and Server 2016: Clear-Tpm

• To clear TPM via GUI, see the following:

• For Windows 7 and Windows Server 2008 R2: Clear the TPM

• For Windows Server 2012, Windows 8.1, and Windows Server 2012 R2: Clear all the keys from the TPM

• For Windows 10 and Windows Server 2016: Clear all the keys from the TPM

Additional context

• Azure AD - What is Azure Active Directory?
• Bitlocker suspension - Suspend-BitLocker
• Credential Guard: Clearing TPM considerations - Clearing TPM Considerations
• Domain-joined Device Public Key Authentication - Automatic public key provisioning
• MSA Microsoft Account- Microsoft Accounts
• TPM - Windows Trusted Platform Module Management Step-by-Step Guide
• TPM Key Attestation - TPM Key Attestation
• Virtual Smart Card overview - Virtual Smart Card Overview
• Windows hello / Next Gen Credential - Windows Hello for Business

Quick methods for determining the firmware version:

• Use PowerShell cmd: Get-TPM (run as an administrator) on each device.

• Use the following PowerShell script, run as an administrator. Failing to run the script as an administrator will return incorrect results. In an enterprise setting, if you need to run the script remotely to check several devices, see the following:

  • PowerShell remoting setup: Tip: Enable and Use Remote Commands in Windows PowerShell
  • PowerShell remoting usage: PowerShell 5.1:Running Remote Commands

  $IfxManufacturerIdInt = 0x49465800 # ‘IFX’

  	function IsInfineonFirmwareVersionAffected ($FirmwareVersion)
  	{
  		$FirmwareMajor = $FirmwareVersion[0]
  		$FirmwareMinor = $FirmwareVersion[1]
  		switch ($FirmwareMajor)
  		{
  			4 { return $FirmwareMinor -le 33 -or ($FirmwareMinor -ge 40 -and $FirmwareMinor -le 42) }
  			5 { return $FirmwareMinor -le 61 }
  			6 { return $FirmwareMinor -le 42 }
  			7 { return $FirmwareMinor -le 61 }
  			133 { return $FirmwareMinor -le 32 }
  			default { return $False }
  		}
  	}
  	
  	function IsInfineonFirmwareVersionSusceptible ($FirmwareMajor)
  	{
  		switch ($FirmwareMajor)
  		{
  			4 { return $True }
  			5 { return $True }
  			6 { return $True }
  			7 { return $True }
  			133 { return $True }
  			default { return $False }
  		}
  	}
  	
  	$Tpm = Get-Tpm
  	$ManufacturerIdInt = $Tpm.ManufacturerId
  	$FirmwareVersion = $Tpm.ManufacturerVersion -split "\."
  	$FirmwareVersionAtLastProvision = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\TPM\WMI" -Name "FirmwareVersionAtLastProvision" -ErrorAction SilentlyContinue).FirmwareVersionAtLastProvision
  	
  	if (!$Tpm)
  	{
  		Write-Host "No TPM found on this system, so the issue does not apply here."
  	}
  	else
  	{
  		if ($ManufacturerIdInt -ne $IfxManufacturerIdInt)
  		{
  			Write-Host "This non-Infineon TPM is not affected by the issue."
  		}
  		else
  		{
  			if ($FirmwareVersion.Length -lt 2)
  			{
  				Write-Error "Could not get TPM firmware version from this TPM."
  			}
  			else
  			{
  				if (IsInfineonFirmwareVersionSusceptible($FirmwareVersion[0]))
  				{
  					if (IsInfineonFirmwareVersionAffected($FirmwareVersion))
  					{
  						Write-Host ("This Infineon firmware version {0}.{1} TPM is not safe. Please update your firmware." -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
  					}
  					else
  					{
  						Write-Host ("This Infineon firmware version {0}.{1} TPM is safe." -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
  						if (!$FirmwareVersionAtLastProvision)
  						{
  							Write-Host ("We cannot determine what the firmware version was when the TPM was last cleared. Please clear your TPM now that the firmware is safe.")
  						}
  						elseif ($FirmwareVersion -ne $FirmwareVersionAtLastProvision)
  						{
  							Write-Host ("The firmware version when the TPM was last cleared was different from the current firmware version. Please clear your TPM now that the firmware is safe.")
  						}
  					}
  				}
  				else
  				{
  					Write-Host ("This Infineon firmware version {0}.{1} TPM is safe." -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
  				}
  			}
  		}
  	}