CVE-2024-53085

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Nov 19, 2024
Updated: Dec 9, 2024
CWE ID 667

Summary

CVE-2024-53085 is a vulnerability affecting the Linux kernel's TPM (Trusted Platform Module) subsystem. The issue arises from the order of operations in the functions tpm_pm_suspend() and tpm_hwrng_read(). Specifically, setting the TPM chip flag for suspension before locking the TPM chip can result in a race condition. This leaves a window of opportunity for tpm_hwrng_read() to be called while the operation is still in progress. To mitigate this issue, the development community recommends locking the TPM chip before checking any chip flags in both tpm_pm_suspend() and tpm_hwrng_read(). Additionally, moving the TPM_CHIP_FLAG_SUSPENDED check inside tpm_get_random() ensures that the lock is always reserved before checking the flag.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share