5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.006 Low
EPSS
Percentile
78.0%
This advisory addresses CVE-2019-16863.
A security vulnerability exists in certain Trusted Platform Module (TPM) chipsets. The vulnerability weakens key confidentiality protection for a specific algorithm (ECDSA). It is important to note that this is a TPM firmware vulnerability, and not a vulnerability in the Windows operating system or a specific application. Currently no Windows systems use the vulnerable algorithm. Other software or services you are running might use this algorithm. Therefore if your system is affected and requires the installation of TPM firmware updates, you might need to re-enroll in security services you are running to remediate those affected services. For more details contact the TPM manufacturer - <https://www.st.com/tpm-update>.
Important This vulnerability is present in a specific vendorβs TPM firmware that is based on Trusted Computing Guidelines (TCG) specification family 2.0, but not 1.2, and not in the TPM standard or in Microsoft Windows. Although Windows security features do not depend on the affected algorithm, third party software may rely on keys generated by the TPM and that would be affected by the vulnerability.
Even after a TPM firmware update is installed, you might need to carry out additional remediation steps to force regeneration of previously created affected TPM keys.
1. What systems are at risk from these vulnerabilities?
2. What is a TPM?
See Trusted Platform Module Technology Overview
3. What is the associated CVE for this vulnerability?
See CVE-2019-16863
4. Have there been any active attacks detected?
No. When this security advisory was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
5. Has this vulnerability been publicly disclosed?
No. Microsoft received information about the vulnerability through coordinated vulnerability disclosure.
6. I have a Surface device. Is my device affected by this vulnerability?
No. Microsoft Surface devices do not have these chipsets installed.
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.006 Low
EPSS
Percentile
78.0%