Description
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
References (6)
Core 6
Core References
Third Party Advisory x_refsource_misc
http://tpm.fail
Vendor Advisory x_refsource_confirm
https://support.f5.com/csp/article/K32412503?utm_source=f5support&%3Butm_medium=RSS
Third Party Advisory x_refsource_confirm
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03972en_us
Third Party Advisory x_refsource_confirm
https://support.lenovo.com/us/en/product_security/LEN-29406
Vendor Advisory x_refsource_confirm
https://www.st.com/content/st_com/en/campaigns/tpm-update.html
Third Party Advisory x_refsource_misc
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190024
Scores
CVSS v3
5.9
EPSS
0.0328
EPSS Percentile
86.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-327
CWE-203
Status
published
Products (14)
st/st33tphf20i2c_firmware
74.5
st/st33tphf20i2c_firmware
74.9
st/st33tphf20spi_firmware
74.0
st/st33tphf20spi_firmware
74.4
st/st33tphf20spi_firmware
74.8
st/st33tphf20spi_firmware
74.16
st/st33tphf2ei2c_firmware
73.5
st/st33tphf2ei2c_firmware
73.9
st/st33tphf2espi_firmware
71.0
st/st33tphf2espi_firmware
71.4
... and 4 more
Published
Nov 14, 2019
Tracked Since
Feb 18, 2026