CVE-2019-16863
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/11/2019
Last modified:
07/11/2023
Description
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:st:st33tphf2espi_firmware:71.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf2espi_firmware:71.4:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf2espi_firmware:71.12:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf2espi_firmware:73.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf2espi_firmware:73.4:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf2espi_firmware:73.8:*:*:*:*:*:*:* | ||
| cpe:2.3:h:st:st33tphf2espi:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf2ei2c_firmware:73.5:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf2ei2c_firmware:73.9:*:*:*:*:*:*:* | ||
| cpe:2.3:h:st:st33tphf2ei2c:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf20spi_firmware:74.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf20spi_firmware:74.4:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf20spi_firmware:74.8:*:*:*:*:*:*:* | ||
| cpe:2.3:o:st:st33tphf20spi_firmware:74.16:*:*:*:*:*:*:* | ||
| cpe:2.3:h:st:st33tphf20spi:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://tpm.fail
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024
- https://support.f5.com/csp/article/K32412503?utm_source=f5support&%3Butm_medium=RSS
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03972en_us
- https://support.lenovo.com/us/en/product_security/LEN-29406
- https://www.st.com/content/st_com/en/campaigns/tpm-update.html