Bug 30309 - tpm2-abrmd dbus service allows regular users to clear TPM
Summary: tpm2-abrmd dbus service allows regular users to clear TPM
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Thierry Vignaud
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords: UPSTREAM
Depends on:
Blocks:
 
Reported: 2022-04-20 16:16 CEST by David Walser
Modified: 2023-10-24 23:40 CEST (History)
5 users (show)

See Also:
Source RPM: tpm2-abrmd-2.3.3-3.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-04-20 16:16:13 CEST 
An issue in tpm2-abrmd has been announced here:
https://www.openwall.com/lists/oss-security/2022/04/20/3

This is only the beginning of the discussion and a clear solution is to come.

Mageia 8 is also affected.
David Walser 2022-04-20 16:16:22 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-04-22 14:02:42 CEST 
The announcement is long & dense, including:

- The Intel TPM 2.0 software stack offers software components for accessing TPM 2.0 hardware features. The stack's main components are the core libraries tpm2-tss [1], a set of command line tools tpm2-tools [2] and the userspace resource manager and access broker tpm2-abrmd [3] used for multiplexing parallel access to a TPM device.

- after installing all three of the mentioned tpm2 packages on openSUSE, arbitrary local users may issue arbitrary commands to the TPM chip [4], including a `tpm2_clear` operation

- I generally agree with upstream in that properly setup TPM level authorization will prevent any local DoS issues

- Tests on other Linux distributions like Debian or Fedora show that they exhibit the same behaviour when all three mentioned tpm2 packages are installed

- integrators might want to reduce the level of surprise for some of their users. This can be done relatively simple by restricting the D-Bus level access to members of a separate group, for example. Upstream recommends *not* to use the same 'tss' group for this

- Upstream stresses the point that this is not a known vulnerability

Nothing to do yet, so we will have to leave this floating with Bugsquad for the moment.
We offer these relevant TPM2 pkgs:
 lib64tpm2-tss-devel
 tpm2-abrmd
 tpm2-tools
 tpm2-tss

Keywords: (none) => UPSTREAM
CC: (none) => lewyssmith, tmb

Comment 2 Marja Van Waes 2022-04-22 14:56:01 CEST 
(In reply to Lewis Smith from comment #1)

> 
> Nothing to do yet, so we will have to leave this floating with Bugsquad for
> the moment.
> We offer these relevant TPM2 pkgs:
>  lib64tpm2-tss-devel
>  tpm2-abrmd
>  tpm2-tools
>  tpm2-tss

CC'ing their registered maintainers, though

CC: (none) => geiger.david68210, marja11, thierry.vignaud

Comment 3 Lewis Smith 2023-05-17 21:29:02 CEST 
@Luigi
What should we do? Put this in M9 ERRATA?
Comment 4 David Walser 2023-05-18 03:43:24 CEST 
The maintainers will have to determine how this impacts Mageia and what should be done about it.
Comment 5 Lewis Smith 2023-05-19 21:04:23 CEST 
In which case, can we assign it to pkg-bugs? Nothing to be gained by Bugsquad sitting on it.
Comment 6 Marja Van Waes 2023-10-24 23:40:29 CEST 
(In reply to Lewis Smith from comment #5)
> In which case, can we assign it to pkg-bugs? Nothing to be gained by
> Bugsquad sitting on it.

tv is the registered maintainer now, but daviddavid updated the package in May, with a reference to:

   fix DBus policy location (rhbz #1955150)

It is too late to look for other updates since this bug was filed.

Assigning to the registered maintainer, in case more needs to be fixed and/or for Mageia 8

Assignee: bugsquad => thierry.vignaud
Note You need to log in before you can comment on or make changes to this bug.