CVE-2024-29040 is a vulnerability categorized under CWE-502 (Deserialization of Untrusted Data) found in the tpm2-tss component of the tpm2-software stack, which implements the Trusted Computing Group's TPM2 Software Stack. The vulnerability specifically concerns the deserialization process of the JSON Quote Info returned by the Fapi_Quote function. This JSON data is deserialized by Fapi_VerifyQuote into the TPM structure TPMS_ATTEST. Within this structure, the TPM2_GENERATED magic field is expected to have a specific value to represent a valid TPM-generated attestation. However, the deserialization process does not enforce strict validation on this field, allowing any number to be used in the JSON input. This flaw can cause the verifier to accept a manipulated or malicious state that does not reflect the actual device state. Consequently, a malicious device could exploit this to gain unauthorized access to sensitive data or use TPM services it should not be permitted to access. The vulnerability affects all versions of tpm2-tss prior to 4.1.0, where the issue has been addressed and patched. The CVSS v3.1 score is 4.3 (medium severity), with an attack vector limited to local access (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C). The impact is limited to confidentiality loss (C:L) without affecting integrity or availability. There are no known exploits in the wild at the time of publication. This vulnerability highlights the risks associated with improper deserialization of untrusted data in security-critical components like TPM software stacks.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of sensitive information protected by TPM modules using vulnerable versions of tpm2-tss. Since TPMs are widely used for hardware-based security functions such as secure boot, disk encryption key protection, and platform attestation, exploitation could allow a malicious device or insider to bypass security assurances, potentially exposing cryptographic keys or sensitive attestation data. This could undermine trust in device integrity and compromise secure authentication or encryption processes. Although the attack requires local access, environments with shared or less controlled physical access, such as manufacturing, repair centers, or multi-tenant data centers, may be more vulnerable. The vulnerability does not affect integrity or availability, so it is less likely to cause system outages or data tampering. However, the confidentiality breach could lead to further attacks or data leaks. European organizations relying on TPM-based security for compliance with regulations like GDPR or NIS2 should prioritize addressing this vulnerability to maintain data protection standards.

The primary mitigation is to upgrade all affected tpm2-tss installations to version 4.1.0 or later, where the vulnerability has been patched. Organizations should audit their software supply chain and device firmware to identify any use of vulnerable tpm2-tss versions. Implement strict input validation and sanity checks on all TPM-related deserialization processes to ensure that fields like TPM2_GENERATED magic conform to expected values. Limit local access to TPM-enabled devices through physical security controls and restrict administrative privileges to trusted personnel. Employ monitoring and logging of TPM interactions to detect anomalous or suspicious activity that could indicate exploitation attempts. For environments where upgrading is not immediately feasible, consider isolating vulnerable systems or disabling features that rely on Fapi_Quote and Fapi_VerifyQuote functions if possible. Finally, maintain awareness of updates from the tpm2-software project and apply security patches promptly.