Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#Requires -RunAsAdministrator
Function Test-InfineonTPMVulnerability {
<#
.SYNOPSIS
Test if Infineon TPM is vulnerable to ADV170012
.DESCRIPTION
Test if Infineon TPM is vulnerable to ADV170012
.EXAMPLE
Test-InfineonTPMVulnerability -Verbose
.EXAMPLE
Invoke-Command -ComputerName $C1,$C2 -ScriptBlock ${Function:\Test-InfineonTPMVulnerability}
.NOTES
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012
#>
[CmdletBinding()]
Param()
Begin {
Function Test-IsInfineonFirmwareVersionAffected {
[CmdletBinding()]
Param(
[Parameter(Mandatory)]
[Version]$Version
)
Begin {}
Process {
Switch ($Version) {
{ $_.Major -eq 4 } {
return ($_.Minor -le 33 -or $_.Minor -in @(40..42))
}
{ $_.Major -eq 5 } {
return ($_.Minor -le 61)
}
{ $_.Major -eq 6 } {
return ($_.Minor -le 42)
}
{ $_.Major -eq 7 } {
return ($_.Minor -le 61)
}
{ $_.Major -eq 133} {
return ($_.Minor -le 32)
}
default {$false}
}
}
End {}
}
$HT = @{
Path = 'HKLM:\SYSTEM\CurrentControlSet\Services\TPM\WMI'
Name = 'FirmwareVersionAtLastProvision'
ErrorAction = 'SilentlyContinue'
}
$FirmwareVersionAtLastProvision = (Get-ItemProperty @HT).FirmwareVersionAtLastProvision
}
Process {
try {
$tpm = Get-WmiObject -Namespace 'root/cimv2/Security/MicrosoftTPM' -Class 'Win32_TPM' -ErrorAction Stop
} catch {
Write-Warning -Message "Failed to query Win32_TPM WMI class because $($_.Exception.Message)"
}
if ($tpm) {
if ($tpm.ManufacturerId -ne 0x49465800) {
Write-Verbose -Message 'No Infineon TPM detected = no vulnerability'
$Vulnerable = $false
$Reason = 'This non-Infineon TPM is not affected by the issue'
} else {
if ($tpm.ManufacturerVersion.length -lt 2) {
Write-Verbose -Message "Found a strange TPM version $($tpm.ManufacturerVersion)"
$Unknown = $true
$Reason = 'Could not get TPM firmware version from this TPM'
} else {
$Major,$Minor = $tpm.ManufacturerVersion -split '\.'
if ($Major -in @(4,5,6,7,133)) {
$Vulnerable = Test-IsInfineonFirmwareVersionAffected -Version $tpm.ManufacturerVersion
if ($Vulnerable) {
$Reason = "This Infineon firmware version $($tpm.ManufacturerVersion) TPM is not safe. Please update your firmware."
Write-Verbose -Message $Reason
} else {
Write-Verbose -Message "This Infineon firmware version $($tpm.ManufacturerVersion) TPM is safe."
if (-not($FirmwareVersionAtLastProvision)) {
Write-Warning -Message 'We cannot determine what the firmware version was when the TPM was last cleared.'
Write-Warning -Message 'Please clear your TPM now that the firmware is safe.'
$ClearRequired = $true
} elseif ($($tpm.ManufacturerVersion) -ne $FirmwareVersionAtLastProvision) {
Write-Warning -Message 'The firmware version when the TPM was last cleared was different from the current firmware version.'
Write-Warning -Message 'Please clear your TPM now that the firmware is safe.'
$ClearRequired = $true
} else {
$ClearRequired = $false
}
}
} else {
$Vulnerable = $false
$Reason ="This Infineon firmware version $($tpm.ManufacturerVersion) TPM is safe."
Write-Verbose -Message $Reason
}
}
}
} else {
Write-Verbose -Message 'No TPM detected = no vulnerability'
$Vulnerable = $false
$Reason = 'No TPM found on this system, so the issue does not apply here'
}
}
End {
[PSCustomObject]@{
ComputerName = $($env:COMPUTERNAME)
TPMVersion = $(
if ($tpm) {
try {
[version]$($tpm.ManufacturerVersion)
} catch {
[version]'0.0'
}
} else {
[version]'0.0'
}
)
Vulnerable = $Vulnerable
Reason = $Reason
Unknown = $(if ($Unknown) {$true} else {$false})
ClearRequired = $(if ($ClearRequired) {$true} else {$false})
}
}
}
Test-InfineonTPMVulnerability
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment