CVE-2024-29039

moderate-risk
Published 2024-06-28

tpm2 is the source repository for the Trusted Platform Module (TPM2.0) tools. This vulnerability allows attackers to manipulate tpm2_checkquote outputs by altering the TPML_PCR_SELECTION in the PCR input file. As a result, digest values are incorrectly mapped to PCR slots and banks, providing a misleading picture of the TPM state. This issue has been patched in version 5.7.

Do I need to act?

~
1.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.0/10 Critical
NETWORK / HIGH complexity

Affected Products (1)

Tpm2-Tools

Affected Vendors

Tpm2-Tools Project

References (6)

Release Notes https://github.com/tpm2-software/tpm2-tools/releases/tag/5.7
Exploit https://github.com/tpm2-software/tpm2-tools/security/advisories/GHSA-8rjm-5f5f-h...
Release Notes https://github.com/tpm2-software/tpm2-tools/releases/tag/5.7
Exploit https://github.com/tpm2-software/tpm2-tools/security/advisories/GHSA-8rjm-5f5f-h...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproje...
35
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 4/34 · Minimal
Exposure 5/34 · Minimal