Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

OPTIGA™ TPM Forum Discussions

KeOn_
Level 4
Level 4
10 solutions authored 10 replies posted 50 sign-ins

Hi,

I checked the site below and it says that InfineonTpmUpdateDxe uses old OpenSSL.

https://thehackernews.com/2022/11/dell-hp-and-lenovo-devices-found-using.html 

Does Infineon's TPM FW Update Tool still use OpenSSL?
Also, is there any vulnerability in that OpenSSL?

Thank you very much.

0 Likes
1 Solution
GuillaumeR
Employee
Employee
5 likes given 5 sign-ins First solution authored

Hi @KeOn_ , @snehapra and the whole community,

On December 13th 2022, I'm able to say that Infineon's TPM FW Update Tool is not affected by any "OpenSSL" CVE (vulnerability) reporting.

View solution in original post

4 Replies
snehapra
Moderator
Moderator
Moderator
100 sign-ins 25 solutions authored 50 replies posted

Hi @KeOn_ ,

We are aware of the article you shared, could you please specify which vulnerability of the TPM update tool you are referring to?
Also, we always recommend our customers to use the latest update tool with OpenSSL version 1.1.1e which is tested and is not affected by any vulnerability.

Thanks,

Sneha

GuillaumeR
Employee
Employee
5 likes given 5 sign-ins First solution authored

Hi @KeOn_ , @snehapra and the whole community,

On December 13th 2022, I'm able to say that Infineon's TPM FW Update Tool is not affected by any "OpenSSL" CVE (vulnerability) reporting.

Thank you for your reply.

I would like to add one more point, when the vulnerability of Infineon's RSA encryption key was reported before, the FW Update Tool was released.
Is it correct that the OpenSSL vulnerability does not affect that tool?

https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160 

0 Likes
TakashiM_61
Moderator
Moderator
Moderator
1000 replies posted 500 solutions authored 750 replies posted

This additional question has been posted in different thread.

Regarding the FW update tool released when Infineon's RSA encryption key vulnerability was reported 

So, this thread has been locked, will continue the discussion on the above new thread.

0 Likes