A security vulnerability exists in the firmware of certain Infineon Trusted Platform Module (TPM) chipsets. The vulnerability weakens key strength. It is weakened so much that it is possible to derive the private key from the public key for RSA key pairs of up to 2048-bit.
This page contains a number of manners in which you can verify whether your computer contains an affected Infineon TPM chip that generates vulnerable RSA key pairs.
Using Windows Event Logs
- September 2017 Security Updates provide the functionality to generate software keys.
- October 2017 Security Updates provide detection in TPM.MSC to determine if your device has a vulnerable TPM module.
- Event Log: Windows Log/System
- Event Source: TPM-WMI
- Event ID: 1794
- ManufacturerVersion 4.33 and earlier
- ManufacturerVersion 4.40 to 4.42
- ManufacturerVersion 5.61 and earlier
- ManufacturerVersion 6.42 and earlier
- ManufacturerVersion 7.61 and earlier
- ManufacturerVersion 133.32 and earlier
Using the Trusted Platform Module (TPM) Management snap-in (TPM.MSC) (on a Windows 10 device)
- ROCA: Vulnerable RSA generation (CVE-2017-15361)
- Microsoft Security Techcenter: ADV170012 | Vulnerability in TPM could allow Security Feature Bypass
- Vulnerability Note VU#307015: Infineon RSA library does not properly generate RSA key pairs
- IsInfineonFirmwareVersionAffected.ps1 PowerShell script on GitHub