p0w3rsh3ll/Test-InfineonTPMVulnerability.ps1

## Test-InfineonTPMVulnerability.ps1
#Requires -RunAsAdministrator

Function Test-InfineonTPMVulnerability {
<#
    .SYNOPSIS
        Test if Infineon TPM is vulnerable to ADV170012

    .DESCRIPTION
        Test if Infineon TPM is vulnerable to ADV170012

    .EXAMPLE
        Test-InfineonTPMVulnerability -Verbose

    .EXAMPLE
        Invoke-Command -ComputerName $C1,$C2 -ScriptBlock ${Function:\Test-InfineonTPMVulnerability}

    .NOTES
    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012
#>
[CmdletBinding()]
Param()
Begin {

    Function Test-IsInfineonFirmwareVersionAffected {
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory)]
        [Version]$Version
    )
    Begin {}
    Process {
        Switch ($Version) {
            { $_.Major -eq 4 } {
                return ($_.Minor -le 33 -or $_.Minor -in @(40..42))
            }
            { $_.Major -eq 5 } {
                return ($_.Minor -le 61)
            }
            { $_.Major -eq 6 } {
                return ($_.Minor -le 42)
            }
            { $_.Major -eq 7 } {
                return ($_.Minor -le 61)
            }
            { $_.Major -eq 133} {
                return ($_.Minor -le 32)
            }
            default {$false}
        }
    }
    End {}
    }
    $HT = @{
        Path = 'HKLM:\SYSTEM\CurrentControlSet\Services\TPM\WMI'
        Name = 'FirmwareVersionAtLastProvision'
        ErrorAction = 'SilentlyContinue'
    }
    $FirmwareVersionAtLastProvision = (Get-ItemProperty @HT).FirmwareVersionAtLastProvision
}
Process {
    try {
        $tpm = Get-WmiObject -Namespace 'root/cimv2/Security/MicrosoftTPM' -Class 'Win32_TPM' -ErrorAction Stop
    } catch {
        Write-Warning -Message "Failed to query Win32_TPM WMI class because $($_.Exception.Message)"
    }
    if ($tpm) {
        if ($tpm.ManufacturerId -ne 0x49465800) {
            Write-Verbose -Message 'No Infineon TPM detected = no vulnerability'
            $Vulnerable = $false
            $Reason = 'This non-Infineon TPM is not affected by the issue'
        } else {
            if ($tpm.ManufacturerVersion.length -lt 2) {
                Write-Verbose -Message "Found a  strange TPM version $($tpm.ManufacturerVersion)"
                $Unknown = $true
                $Reason = 'Could not get TPM firmware version from this TPM'
            } else {
                $Major,$Minor = $tpm.ManufacturerVersion -split '\.'

                if ($Major -in @(4,5,6,7,133)) {
                    $Vulnerable = Test-IsInfineonFirmwareVersionAffected -Version $tpm.ManufacturerVersion
                    if ($Vulnerable) {
                        $Reason = "This Infineon firmware version $($tpm.ManufacturerVersion) TPM is not safe. Please update your firmware."
                        Write-Verbose -Message $Reason
                    } else {
                        Write-Verbose -Message "This Infineon firmware version $($tpm.ManufacturerVersion) TPM is safe."
                        if (-not($FirmwareVersionAtLastProvision)) {
                            Write-Warning -Message 'We cannot determine what the firmware version was when the TPM was last cleared.'
                            Write-Warning -Message 'Please clear your TPM now that the firmware is safe.'
                            $ClearRequired = $true
                        } elseif ($($tpm.ManufacturerVersion) -ne $FirmwareVersionAtLastProvision) {
                            Write-Warning -Message 'The firmware version when the TPM was last cleared was different from the current firmware version.'
                            Write-Warning -Message 'Please clear your TPM now that the firmware is safe.'
                            $ClearRequired = $true
                        } else {
                            $ClearRequired = $false
                        }
                    }
                } else {
                    $Vulnerable = $false
                    $Reason ="This Infineon firmware version $($tpm.ManufacturerVersion) TPM is safe."
                    Write-Verbose -Message $Reason
                }
            }
        }
    } else {
        Write-Verbose -Message 'No TPM detected = no vulnerability'
        $Vulnerable = $false
        $Reason = 'No TPM found on this system, so the issue does not apply here'
    }

}
End {
    [PSCustomObject]@{
        ComputerName = $($env:COMPUTERNAME)
        TPMVersion = $(
            if ($tpm) {
                try {
                    [version]$($tpm.ManufacturerVersion)
                } catch {
                    [version]'0.0'
                }
            } else {
                [version]'0.0'
            }
        )
        Vulnerable = $Vulnerable
        Reason = $Reason
        Unknown = $(if ($Unknown) {$true} else {$false})
        ClearRequired = $(if ($ClearRequired) {$true} else {$false})
    }
}
}

Test-InfineonTPMVulnerability
	#Requires -RunAsAdministrator

	Function Test-InfineonTPMVulnerability {
	<#
	.SYNOPSIS
	Test if Infineon TPM is vulnerable to ADV170012

	.DESCRIPTION
	Test if Infineon TPM is vulnerable to ADV170012

	.EXAMPLE
	Test-InfineonTPMVulnerability -Verbose

	.EXAMPLE
	Invoke-Command -ComputerName $C1,$C2 -ScriptBlock ${Function:\Test-InfineonTPMVulnerability}

	.NOTES
	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012
	#>
	[CmdletBinding()]
	Param()
	Begin {

	Function Test-IsInfineonFirmwareVersionAffected {
	[CmdletBinding()]
	Param(
	[Parameter(Mandatory)]
	[Version]$Version
	)
	Begin {}
	Process {
	Switch ($Version) {
	{ $_.Major -eq 4 } {
	return ($_.Minor -le 33 -or $_.Minor -in @(40..42))
	}
	{ $_.Major -eq 5 } {
	return ($_.Minor -le 61)
	}
	{ $_.Major -eq 6 } {
	return ($_.Minor -le 42)
	}
	{ $_.Major -eq 7 } {
	return ($_.Minor -le 61)
	}
	{ $_.Major -eq 133} {
	return ($_.Minor -le 32)
	}
	default {$false}
	}
	}
	End {}
	}
	$HT = @{
	Path = 'HKLM:\SYSTEM\CurrentControlSet\Services\TPM\WMI'
	Name = 'FirmwareVersionAtLastProvision'
	ErrorAction = 'SilentlyContinue'
	}
	$FirmwareVersionAtLastProvision = (Get-ItemProperty @HT).FirmwareVersionAtLastProvision
	}
	Process {
	try {
	$tpm = Get-WmiObject -Namespace 'root/cimv2/Security/MicrosoftTPM' -Class 'Win32_TPM' -ErrorAction Stop
	} catch {
	Write-Warning -Message "Failed to query Win32_TPM WMI class because $($_.Exception.Message)"
	}
	if ($tpm) {
	if ($tpm.ManufacturerId -ne 0x49465800) {
	Write-Verbose -Message 'No Infineon TPM detected = no vulnerability'
	$Vulnerable = $false
	$Reason = 'This non-Infineon TPM is not affected by the issue'
	} else {
	if ($tpm.ManufacturerVersion.length -lt 2) {
	Write-Verbose -Message "Found a strange TPM version $($tpm.ManufacturerVersion)"
	$Unknown = $true
	$Reason = 'Could not get TPM firmware version from this TPM'
	} else {
	$Major,$Minor = $tpm.ManufacturerVersion -split '\.'

	if ($Major -in @(4,5,6,7,133)) {
	$Vulnerable = Test-IsInfineonFirmwareVersionAffected -Version $tpm.ManufacturerVersion
	if ($Vulnerable) {
	$Reason = "This Infineon firmware version $($tpm.ManufacturerVersion) TPM is not safe. Please update your firmware."
	Write-Verbose -Message $Reason
	} else {
	Write-Verbose -Message "This Infineon firmware version $($tpm.ManufacturerVersion) TPM is safe."
	if (-not($FirmwareVersionAtLastProvision)) {
	Write-Warning -Message 'We cannot determine what the firmware version was when the TPM was last cleared.'
	Write-Warning -Message 'Please clear your TPM now that the firmware is safe.'
	$ClearRequired = $true
	} elseif ($($tpm.ManufacturerVersion) -ne $FirmwareVersionAtLastProvision) {
	Write-Warning -Message 'The firmware version when the TPM was last cleared was different from the current firmware version.'
	Write-Warning -Message 'Please clear your TPM now that the firmware is safe.'
	$ClearRequired = $true
	} else {
	$ClearRequired = $false
	}
	}
	} else {
	$Vulnerable = $false
	$Reason ="This Infineon firmware version $($tpm.ManufacturerVersion) TPM is safe."
	Write-Verbose -Message $Reason
	}
	}
	}
	} else {
	Write-Verbose -Message 'No TPM detected = no vulnerability'
	$Vulnerable = $false
	$Reason = 'No TPM found on this system, so the issue does not apply here'
	}

	}
	End {
	[PSCustomObject]@{
	ComputerName = $($env:COMPUTERNAME)
	TPMVersion = $(
	if ($tpm) {
	try {
	[version]$($tpm.ManufacturerVersion)
	} catch {
	[version]'0.0'
	}
	} else {
	[version]'0.0'
	}
	)
	Vulnerable = $Vulnerable
	Reason = $Reason
	Unknown = $(if ($Unknown) {$true} else {$false})
	ClearRequired = $(if ($ClearRequired) {$true} else {$false})
	}
	}
	}

	Test-InfineonTPMVulnerability