CVE-2023-22745
- Source
- https://cve.org/CVERecord?id=CVE-2023-22745
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22745.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-22745
- Aliases
-
- GHSA-4j3v-fh23-vx67
- Downstream
- Related
- Published
- 2023-01-19T22:12:40.208Z
- Modified
- 2026-03-03T02:50:44.403461Z
- Severity
-
- 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Buffer Overlow in TSS2_RC_Decode in tpm2-tss
- Details
-
tpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In versions prior to 4.1.0-rc0, 4.0.1, and 3.2.2-rc1,
Tss2_RC_SetHandlerandTss2_RC_Decodeboth index intolayer_handlerwith an 8 bit layer number, but the array only hasTPM2_ERROR_TSS2_RC_LAYER_COUNTentries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. This Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC. Given the common use case of TPM modules an attacker must have local access to the target machine with local system privileges which allows access to the TPM system. Usually TPM access requires administrative privilege. Versions 4.1.0-rc0, 4.0.1, and 3.2.2-rc1 fix the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22745.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-120" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22745.json
- https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5
- https://github.com/tpm2-software/tpm2-tss/commit/49107d65d5c7be430671398416bbd89dae4e34e7
- https://github.com/tpm2-software/tpm2-tss/commit/7ab42953216adec046d000a5e3085f3ee5e9cabf
- https://github.com/tpm2-software/tpm2-tss/security/advisories/GHSA-4j3v-fh23-vx67
- https://nvd.nist.gov/vuln/detail/CVE-2023-22745
Affected packages
Git / github.com/tpm2-software/tpm2-tss
Affected ranges
- Type
- GIT
- Repo
- https://github.com/tpm2-software/tpm2-tss
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixed
Database specific
vanir_signatures
[
{
"id": "CVE-2023-22745-0319e4b5",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5",
"target": {
"function": "main",
"file": "test/unit/test_tss2_rc.c"
},
"digest": {
"length": 1218.0,
"function_hash": "210679546137724741037001588151874037456"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-0bd56be7",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/7ab42953216adec046d000a5e3085f3ee5e9cabf",
"target": {
"function": "main",
"file": "test/unit/test_tss2_rc.c"
},
"digest": {
"length": 824.0,
"function_hash": "204064093621549859084906869475315467738"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-18026062",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5",
"target": {
"function": "unknown_layer_handler",
"file": "src/tss2-rc/tss2_rc.c"
},
"digest": {
"length": 156.0,
"function_hash": "218088611376052740940402826514781597383"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-2cfa9053",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/49107d65d5c7be430671398416bbd89dae4e34e7",
"target": {
"function": "main",
"file": "test/unit/test_tss2_rc.c"
},
"digest": {
"length": 1218.0,
"function_hash": "210679546137724741037001588151874037456"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-33139623",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/49107d65d5c7be430671398416bbd89dae4e34e7",
"target": {
"function": "test_custom_handler",
"file": "test/unit/test_tss2_rc.c"
},
"digest": {
"length": 620.0,
"function_hash": "182110618467033884683978193331878840039"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-4e65d669",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/7ab42953216adec046d000a5e3085f3ee5e9cabf",
"target": {
"file": "src/tss2-rc/tss2_rc.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"175155527675725234282584628524148541148",
"23567128023151797515262071755044535935",
"246069061386680654964652272609164475271",
"317053638468776435130117046972868057196",
"273544491497178644508060489907716145726",
"32168314883317647211393153869998367397",
"332334334708390563159145155299411330838",
"231466411507703472447561467953752381176",
"256486060277900464150414024503665300954",
"100203091301140282490830830062163577972",
"48519959050036360211262107379558709304",
"62946738782964942369359072942712272509",
"321713299480784781204506439951265566850",
"59610478482568649494324819292043119128",
"33958196451259255076985691980273556146",
"84047839519626758488820882518956782927",
"147268084096708068266334779623255555612",
"81128235305904865454659180169877957610",
"196114647762815489413384562871668992420"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2023-22745-4f02c9c8",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5",
"target": {
"function": "Tss2_RC_Decode",
"file": "src/tss2-rc/tss2_rc.c"
},
"digest": {
"length": 627.0,
"function_hash": "62104052089286377825759825078223098491"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-51412f0c",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5",
"target": {
"function": "test_custom_handler",
"file": "test/unit/test_tss2_rc.c"
},
"digest": {
"length": 620.0,
"function_hash": "182110618467033884683978193331878840039"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-610c2aac",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/49107d65d5c7be430671398416bbd89dae4e34e7",
"target": {
"file": "src/tss2-rc/tss2_rc.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"175155527675725234282584628524148541148",
"23567128023151797515262071755044535935",
"246069061386680654964652272609164475271",
"317053638468776435130117046972868057196",
"273544491497178644508060489907716145726",
"32168314883317647211393153869998367397",
"332334334708390563159145155299411330838",
"231466411507703472447561467953752381176",
"256486060277900464150414024503665300954",
"100203091301140282490830830062163577972",
"48519959050036360211262107379558709304",
"62946738782964942369359072942712272509",
"321713299480784781204506439951265566850",
"59610478482568649494324819292043119128",
"33958196451259255076985691980273556146",
"84047839519626758488820882518956782927",
"147268084096708068266334779623255555612",
"81128235305904865454659180169877957610",
"196114647762815489413384562871668992420"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2023-22745-9827217e",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/7ab42953216adec046d000a5e3085f3ee5e9cabf",
"target": {
"function": "test_custom_handler",
"file": "test/unit/test_tss2_rc.c"
},
"digest": {
"length": 620.0,
"function_hash": "182110618467033884683978193331878840039"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-a4dd1b3f",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/49107d65d5c7be430671398416bbd89dae4e34e7",
"target": {
"function": "unknown_layer_handler",
"file": "src/tss2-rc/tss2_rc.c"
},
"digest": {
"length": 156.0,
"function_hash": "218088611376052740940402826514781597383"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-a5112d7b",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/7ab42953216adec046d000a5e3085f3ee5e9cabf",
"target": {
"function": "unknown_layer_handler",
"file": "src/tss2-rc/tss2_rc.c"
},
"digest": {
"length": 156.0,
"function_hash": "218088611376052740940402826514781597383"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-ae6001e0",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5",
"target": {
"file": "test/unit/test_tss2_rc.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"126634302639959653755036627329680949387",
"196092249021504670097161779802200482716",
"90332454760094272248489186515054036492",
"79891519806361018900133012175209927382",
"95914502055682118326074923222407169010",
"51107693369683575149761039570257940314",
"172496355627255185672225025796286030669",
"5557156980887231434293513853665475631",
"213828210412642347337225541114718609237",
"51992140069610253985102355317595830564",
"279618971227684673329874254623029200314"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2023-22745-b013904b",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/7ab42953216adec046d000a5e3085f3ee5e9cabf",
"target": {
"file": "test/unit/test_tss2_rc.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"126634302639959653755036627329680949387",
"196092249021504670097161779802200482716",
"90332454760094272248489186515054036492",
"79891519806361018900133012175209927382",
"200972985790167298922305710773492206440",
"230018321900227890248859590876405822075",
"172496355627255185672225025796286030669",
"278006329284038542309903556397741749147",
"237255761619912192494392600862427721195",
"190923893354037871797047063437502076091",
"247551885064562752559588635847257214783"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2023-22745-c310c951",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/49107d65d5c7be430671398416bbd89dae4e34e7",
"target": {
"file": "test/unit/test_tss2_rc.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"126634302639959653755036627329680949387",
"196092249021504670097161779802200482716",
"90332454760094272248489186515054036492",
"79891519806361018900133012175209927382",
"95914502055682118326074923222407169010",
"51107693369683575149761039570257940314",
"172496355627255185672225025796286030669",
"5557156980887231434293513853665475631",
"213828210412642347337225541114718609237",
"51992140069610253985102355317595830564",
"279618971227684673329874254623029200314"
]
},
"signature_type": "Line"
},
{
"id": "CVE-2023-22745-d1c34fe0",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/49107d65d5c7be430671398416bbd89dae4e34e7",
"target": {
"function": "Tss2_RC_Decode",
"file": "src/tss2-rc/tss2_rc.c"
},
"digest": {
"length": 627.0,
"function_hash": "62104052089286377825759825078223098491"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-dc815e12",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/7ab42953216adec046d000a5e3085f3ee5e9cabf",
"target": {
"function": "Tss2_RC_Decode",
"file": "src/tss2-rc/tss2_rc.c"
},
"digest": {
"length": 627.0,
"function_hash": "62104052089286377825759825078223098491"
},
"signature_type": "Function"
},
{
"id": "CVE-2023-22745-ee77cc36",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/tpm2-software/tpm2-tss/commit/306490c8d848c367faa2d9df81f5e69dab46ffb5",
"target": {
"file": "src/tss2-rc/tss2_rc.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"175155527675725234282584628524148541148",
"23567128023151797515262071755044535935",
"246069061386680654964652272609164475271",
"317053638468776435130117046972868057196",
"273544491497178644508060489907716145726",
"32168314883317647211393153869998367397",
"332334334708390563159145155299411330838",
"231466411507703472447561467953752381176",
"256486060277900464150414024503665300954",
"100203091301140282490830830062163577972",
"48519959050036360211262107379558709304",
"62946738782964942369359072942712272509",
"321713299480784781204506439951265566850",
"59610478482568649494324819292043119128",
"33958196451259255076985691980273556146",
"84047839519626758488820882518956782927",
"147268084096708068266334779623255555612",
"81128235305904865454659180169877957610",
"196114647762815489413384562871668992420"
]
},
"signature_type": "Line"
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22745.json"