CVE-2023-22745

NameCVE-2023-22745
Descriptiontpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In affected versions `Tss2_RC_SetHandler` and `Tss2_RC_Decode` both index into `layer_handler` with an 8 bit layer number, but the array only has `TPM2_ERROR_TSS2_RC_LAYER_COUNT` entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. This Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC. Given the common use case of TPM modules an attacker must have local access to the target machine with local system privileges which allows access to the TPM system. Usually TPM access requires administrative privilege.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1029369

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tpm2-tss (PTS)buster2.1.0-4vulnerable
bullseye3.0.3-2vulnerable
bookworm3.2.1-3fixed
trixie4.0.1-7fixed
sid4.0.1-7.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tpm2-tsssource(unstable)3.2.1-31029369

Notes

[bullseye] - tpm2-tss <no-dsa> (Minor issue)
[buster] - tpm2-tss <no-dsa> (Minor issue)
Fixed by: https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5
https://github.com/tpm2-software/tpm2-tss/security/advisories/GHSA-4j3v-fh23-vx67
Search for package or bug name: Reporting problems