libtpms Out-of-Bounds Read Vulnerability in HMAC Signing Function Leading to Denial-of-Service

A potential out-of-bounds read vulnerability has been identified in libtpms, a library that integrates TPM functionality into hypervisors like QEMU. This vulnerability arises in the 'CryptHmacSign' function, where there is an inconsistent pairing of the signKey and signScheme parameters. Specifically, the signKey is an ALG_KEYEDHASH key, while the signScheme is an ECC or RSA scheme. The issue can be triggered by user-mode applications sending malicious commands to a TPM 2.0 or vTPM (swtpm) instance with affected firmware based on the TCG reference implementation. Exploitation of this vulnerability causes an abort in libtpms due to the out-of-bounds access, making the vTPM unavailable to the virtual machine.

Impact

Exploitation of this vulnerability causes an abort in libtpms, leading to a denial-of-service condition where the vTPM (swtpm) becomes unavailable to a virtual machine.

Reproduction

The vulnerability can be reproduced by sending malicious commands from a user-mode application to a TPM 2.0 or vTPM (swtpm) instance with affected firmware. The malicious commands must exploit the inconsistent pairing of the signKey and signScheme parameters in the 'CryptHmacSign' function.

Remediation

Users are advised to upgrade to libtpms versions 0.7.12, 0.8.10, 0.9.7, or 0.10.1.