CVE-2024-29039 – This vulnerability in tpm2-tools allows attacke... (How to Fix)

Q: What is the severity of CVE-2024-29039?

CVE-2024-29039 has a CVSS score of 9.0 (CRITICAL). This vulnerability in tpm2-tools allows attackers to manipulate TPM quote verification results by tampering with PCR input files. Attackers can make the system incorrectly map digest values to PCR slots and banks, creating a misleading picture of the TPM state. This affects systems using tpm2-tools for TPM attestation and integrity verification.

📋 TL;DR

This vulnerability in tpm2-tools allows attackers to manipulate TPM quote verification results by tampering with PCR input files. Attackers can make the system incorrectly map digest values to PCR slots and banks, creating a misleading picture of the TPM state. This affects systems using tpm2-tools for TPM attestation and integrity verification.

💻 Affected Systems

Products:

tpm2-tools

Versions: All versions before 5.7

Operating Systems: Linux distributions with tpm2-tools package

Default Config Vulnerable: ⚠️ Yes

Notes: Systems using tpm2_checkquote with untrusted PCR input files are vulnerable. The vulnerability is in the tpm2-tools software, not the TPM hardware itself.

📦 What is this software?

Tpm2 Tools by Tpm2 Tools Project

View all CVEs affecting Tpm2 Tools →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass TPM-based integrity checks, allowing compromised systems to appear trustworthy while running malicious code, potentially enabling supply chain attacks or credential theft.

🟠

Likely Case

Attackers could manipulate attestation results to hide system compromises, bypass security controls that rely on TPM measurements, or create false integrity reports.

🟢

If Mitigated

With proper input validation and integrity checks, the impact is limited to systems that accept untrusted PCR input files without verification.

🌐 Internet-Facing: LOW - This vulnerability requires access to manipulate PCR input files, which are typically not exposed to internet-facing interfaces.

🏢 Internal Only: MEDIUM - Internal attackers with access to PCR input files or the ability to manipulate them could exploit this to bypass TPM-based security controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires ability to modify PCR input files used by tpm2_checkquote

Exploitation requires access to modify PCR input files and knowledge of how to manipulate TPML_PCR_SELECTION structures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7

Vendor Advisory: https://github.com/tpm2-software/tpm2-tools/security/advisories/GHSA-8rjm-5f5f-h4q6

Restart Required: No

Instructions:

1. Update tpm2-tools to version 5.7 or later using your package manager. 2. For source installations: download from https://github.com/tpm2-software/tpm2-tools/releases/tag/5.7 and compile. 3. Verify the update with 'tpm2_checkquote --version'.

🔧 Temporary Workarounds

Validate PCR input files

all

Only use trusted, cryptographically verified PCR input files with tpm2_checkquote

Restrict file permissions

linux

Set strict permissions on PCR input files to prevent unauthorized modification

chmod 600 /path/to/pcr_input_file

🧯 If You Can't Patch

Implement additional integrity checks on PCR input files before processing
Use alternative TPM attestation methods that don't rely on tpm2_checkquote with external PCR files

🔍 How to Verify

Check if Vulnerable:

Check tpm2-tools version with 'tpm2_checkquote --version' or 'tpm2 --version'. If version is below 5.7, the system is vulnerable.

Check Version:

tpm2_checkquote --version || tpm2 --version

Verify Fix Applied:

After updating, verify version is 5.7 or higher with 'tpm2_checkquote --version'. Test with known good PCR input files to ensure proper validation.

📡 Detection & Monitoring

Log Indicators:

Unexpected tpm2_checkquote failures
Mismatches in PCR validation results
Suspicious modifications to PCR input files

Network Indicators:

Unusual network activity following TPM attestation processes

SIEM Query:

Process execution logs showing tpm2_checkquote with modified PCR input files or unexpected arguments

📊 Metadata

CVE ID: CVE-2024-29039

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-807

Published: June 28, 2024

Last Updated: November 4, 2025

🔗 References

https://github.com/tpm2-software/tpm2-tools/releases/tag/5.7 Release Notes
https://github.com/tpm2-software/tpm2-tools/security/advisories/GHSA-8rjm-5f5f-h4q6 Exploit,Mitigation,Vendor Advisory
https://github.com/tpm2-software/tpm2-tools/releases/tag/5.7 Release Notes
https://github.com/tpm2-software/tpm2-tools/security/advisories/GHSA-8rjm-5f5f-h4q6 Exploit,Mitigation,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFR7SVEWCOXORHPCLLGXEMHFMIGG2MFE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GI4JFEZBKQQUPJ4RWK6IHEWXAFCEJDPI/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29039, you might also want to check these: