A security vulnerability exists in the firmware of certain Infineon Trusted Platform Module (TPM) chipsets. The vulnerability weakens key strength. It is weakened so much that it is possible to derive the private key from the public key for RSA key pairs of up to 2048-bit.
This page contains a number of manners in which you can verify whether your computer contains an affected Infineon TPM chip that generates vulnerable RSA key pairs.
Using Windows Event Logs
As part of the September and October 2017 Windows security updates, Microsoft has introduced fixes that address the weak key generation problem:
- September 2017 Security Updates provide the functionality to generate software keys.
- October 2017 Security Updates provide detection in TPM.MSC to determine if your device has a vulnerable TPM module.
After the applicable Windows update is applied, Windows will generate Event ID 1794 in the Event Viewer after each reboot under Windows Logs - System when vulnerable firmware is identified.
- Event Log: Windows Log/System
- Event Source: TPM-WMI
- Event ID: 1794
Using PowerShell
If you open a PowerShell prompt as administrator and issue the Get-TPM command, then you will get details on the manufacturer ID and firmware version of the TPM chip in your computer.
The manufacturer ID is represented as a number. The manufacturer ID of Infineon is 0x49465800 (in HEX) or 1229346816 (in decimal). If the listed manufacturer ID is not one these numbers, then you don't have an Infineon TPM chip and you are not affected by this issue.
However, if you do see one of the above number as the manufacturer ID, then it is important to check the ManufacturerVersion. The following ManufacturerVersions are affected by the CVE-2017-15361 vulnerability:
- ManufacturerVersion 4.33 and earlier
- ManufacturerVersion 4.40 to 4.42
- ManufacturerVersion 5.61 and earlier
- ManufacturerVersion 6.42 and earlier
- ManufacturerVersion 7.61 and earlier
- ManufacturerVersion 133.32 and earlier
Microsoft has created a PowerShell script that tests whether you have an Infineon chip and whether it has vulnerable firmware. For easier reuse, I have made the script available on GitHub in this repository:
When running this PowerShell script, it is important to execute it as Administrator. Otherwise you will get incorrect results.
Using the Trusted Platform Module (TPM) Management snap-in (TPM.MSC) (on a Windows 10 device)
On devices running Windows 10 that have the October 2017 security update installed, in a CMD prompt, type "TPM.MSC" to open the Trusted Platform Module (TPM) Management snap-in. Devices with affected TPM modules will display the following error message:
"The TPM is ready for use. The TPM firmware on this PC has a known security problem. Please contact your PC manufacturer to find out if an update is available. For more information please go to https://go.microsoft.com/fwlink/?linkid=852572."
References
- ROCA: Vulnerable RSA generation (CVE-2017-15361)
https://crocs.fi.muni.cz/public/papers/rsa_ccs17 - Microsoft Security Techcenter: ADV170012 | Vulnerability in TPM could allow Security Feature Bypass
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV17... - Vulnerability Note VU#307015: Infineon RSA library does not properly generate RSA key pairs
https://www.kb.cert.org/vuls/id/307015 - IsInfineonFirmwareVersionAffected.ps1 PowerShell script on GitHub
https://github.com/lva/Infineon-CVE-2017-15361