CVE-2020-24455 — Missing Initialization of Resource in Software Stack Project Tpm2 Software Stack

CWE-909 — Missing Initialization of Resource CWE-456 — Missing Initialization of a Variable6 documents6 sources

Severity

6.7MEDIUMNVD

EPSS

0.1%

top 72.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tpm2-software Tpm2-tss Tpm2 Software Stack Project Tpm2 Software Stack Debian Tpm2-tss +7 more

Timeline

PublishedFeb 26

Latest updateMay 24

Description

Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access. This affects tpm2-tss before 3.0.1 and before 2.4.3.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages9 packages

▶debiandebian/tpm2-tss< tpm2-tss 3.0.1-1 (bookworm)

▶NVDtpm2_software_stack_project/tpm2_software_stack3.0.0 — 3.0.1+1

▶Debiantpm2-software/tpm2-tss< 3.0.1-1+3

▶msrcmsrc/cm1_tpm2-tss_2.4.6-1_on_cbl_mariner_1.0

▶msrcmsrc/cbl2_tpm2-tss_2.4.6-1_on_cbl_mariner_2.0

Also affects: Fedora 34

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-qh4p-3mhw-2cp7: Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access↗2022-05-24

▶

OSV

CVE-2020-24455: Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access↗2021-02-26

▶

📋Vendor Advisories

Microsoft

▶

Red Hat

tpm2-tss: FAPI PolicyPCR not instatiating correctly↗2020-10-13

▶

Debian

CVE-2020-24455: tpm2-tss - Missing initialization of a variable in the TPM2 source may allow a privileged u...↗2020

▶