CVE-2025-36238
📋 TL;DR
This vulnerability allows local administrators on IBM PowerVM systems to extract sensitive information from Virtual TPMs through specific PowerVM service procedures. It affects IBM PowerVM Hypervisor firmware versions FW1110.00-FW1110.03, FW1060.00-FW1060.51, and FW950.00-FW950.F0. Only users with administrative privileges can exploit this flaw.
💻 Affected Systems
- IBM PowerVM Hypervisor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator could extract cryptographic keys, certificates, or other sensitive TPM data, potentially compromising secure boot, disk encryption, or authentication mechanisms.
Likely Case
Malicious administrator or compromised admin account could access TPM-protected secrets, enabling lateral movement or persistence within virtualized environments.
If Mitigated
With proper privilege separation and monitoring, impact is limited to authorized administrators who should already have access to sensitive systems.
🎯 Exploit Status
Exploitation requires administrative privileges and knowledge of PowerVM service procedures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FW1110.04, FW1060.52, FW950.F1 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7257556
Restart Required: Yes
Instructions:
1. Download appropriate firmware update from IBM Fix Central. 2. Apply firmware update using HMC or IVM. 3. Reboot affected LPARs and hypervisor. 4. Verify firmware version after reboot.
🔧 Temporary Workarounds
Restrict Administrative Access
allLimit PowerVM administrative privileges to only essential personnel and implement multi-factor authentication.
Monitor Administrative Actions
allEnable detailed logging of PowerVM service procedure executions and monitor for unusual TPM-related operations.
🧯 If You Can't Patch
- Implement strict access controls and audit all administrative actions on PowerVM systems.
- Consider migrating sensitive workloads to systems with updated firmware or alternative virtualization platforms.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via HMC: 'lshwres -r sys -F curr_fw_version' or from LPAR: 'lparstat -i | grep Firmware'Check Version:
lparstat -i | grep FirmwareVerify Fix Applied:
Verify firmware version is FW1110.04+, FW1060.52+, or FW950.F1+ using same commands.📡 Detection & Monitoring
Log Indicators:
- Unusual TPM-related service procedure executions
- Multiple failed TPM access attempts by administrators
Network Indicators:
- Unusual HMC-to-hypervisor communications patterns
SIEM Query:
source="powervm_logs" AND (event="tpm_access" OR procedure="vTPM") AND user_role="admin"