Getac Technology Corporation Statement on Trusted Platform Module Firmware Security Vulnerability

Notice:

Getac Technology Corporation (“Getac”) continues to work on qualifying and applying the fixes provided by Nuvoton Technology Corporation (“Nuvoton”) to supported Getac systems. Please refer to the table below to identify fixes for your systems.

Release Date: 14th Mar, 2023

Latest Updated: 5th May, 2023

Summary: 

The potential vulnerabilities of CVE-2023-1017, CVE-2023-1018 were found existing in TPM2.0 module library which could potentially lead to denial of service and/or arbitrary code execution in the TPM contect.

CVE-2023-1018: Getac products are not affected by CVE-2023-1018.

CVE-2023-1017: It is reported that an attacker with physical access to Nuvoton Trusted Platform Module (“TPM”) NPCT65x with Firmware 1.3.0.1, 1.3.1.0 & 1.3.2.8 could not succeed in writing to or corrupting the TPM but does cause the NPCT65x to become inaccessible as it enters a recoverable protection mode intended to safeguard the NPCT65x and its contents. The functionality of NPCT65x can be restored by a full power cycle (Hard reset) when TPM is in protection mode. (link)

CVEID: CVE-2023-1017, CVE-2023-1018

Getac Affected Products and Recommendations:

Upgrading to firmware version 1.3.2.20 will help to correct this issue; however, please note that version 1.3.2.20 is not FIPS, TCG or Common Criteria (CC) certified (though functionality wise, there are no real differences between versions 1.3.2.8 and 1.3.2.20 according to Nuvoton). For those who are unable to update to firmware version 1.3.2.20, please note that a full power cycle (Hard reset) can restore the functionality of NPCT65x when TPM is in protection mode due to an attack related to this vulnerability.

Please check the affected products in the table below:

Getac Disclaimer:

All content and other information mentioned in this statement or offered arising from the issue described herein are provided on an “as is ” basis. Getac hereby expressly disclaims any warranties of any kind, express or implied, including without limitation warranties of merchantability, fitness for any particular purpose, non-infringement of intellectual property. All products, information, and figures specified are preliminary based on current expectations and Getac reserves the right to change or update any content thereof at any time without prior notice. Getac assessments have been estimated or simulated using Getac internal analysis or architecture simulation or modeling, and may not represent the actual risk to the users’ local installation and individual environment. Users are recommended to determine the applicability of this statement to their specified environments and take appropriate actions. The use of this statement, and all consequences of such use, is solely at the user’s own responsibility, risk, and expense thereof. In no event shall Getac or any of its affiliates be liable for any and all claims, damages, costs or expenses, including without limitation, loss of profits, loss of data, loss of business expectancy, compensatory, direct, indirect, consequential, punitive, special, or incidental damages or business interruption arising out of or in connection with related to the information contained herein or actions that the user decides to take based thereon. Getac reserves the right to interpret this disclaimer and update this disclaimer whenever necessary.