CVE-2023-1017 — HIGH (7.8) — White Hats Nepal

Q: How severe is CVE-2023-1017?

CVE-2023-1017 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-1017?

Check the references section above for vendor advisories and patch information. Affected products include: Trustedcomputinggroup Trusted Platform Module, Microsoft Windows 10 1507, Microsoft Windows 10 1607, Microsoft Windows 10 1809, Microsoft Windows 10 20H2.

Vulnerability Description

An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Trustedcomputinggroup	Trusted Platform Module	2.0
Microsoft	Windows 10 1507	< 10.0.10240.19805
Microsoft	Windows 10 1607	< 10.0.14393.5786
Microsoft	Windows 10 1809	< 10.0.17763.4131
Microsoft	Windows 10 20H2	< 10.0.19042.2728
Microsoft	Windows 10 21H2	< 10.0.19044.2728
Microsoft	Windows 10 22H2	< 10.0.19045.2728
Microsoft	Windows 11 21H2	< 10.0.22000.1696
Microsoft	Windows 11 22H2	< 10.0.22621.1413
Microsoft	Windows Server 2016	< 10.0.14393.5786
Microsoft	Windows Server 2019	< 10.0.17763.4131
Microsoft	Windows Server 2022	< 10.0.20348.1607

Related Weaknesses (CWE)

CWE-787

References

https://kb.cert.org/vuls/id/782720Third Party AdvisoryUS Government Resource
https://trustedcomputinggroup.org/about/security/Vendor Advisory
https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pVendor Advisory
https://kb.cert.org/vuls/id/782720Third Party AdvisoryUS Government Resource
https://trustedcomputinggroup.org/about/security/Vendor Advisory
https://trustedcomputinggroup.org/wp-content/uploads/TCGVRT0007-Advisory-FINAL.pVendor Advisory
https://www.kb.cert.org/vuls/id/782720

FAQ

What is CVE-2023-1017?

CVE-2023-1017 is a vulnerability with a CVSS score of 7.8 (HIGH). An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can suc...

How severe is CVE-2023-1017?

CVE-2023-1017 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-1017?

Check the references section above for vendor advisories and patch information. Affected products include: Trustedcomputinggroup Trusted Platform Module, Microsoft Windows 10 1507, Microsoft Windows 10 1607, Microsoft Windows 10 1809, Microsoft Windows 10 20H2.