CVE-2024-29040 Overview
CVE-2024-29040 is an insecure deserialization vulnerability affecting the Trusted Computing Group's (TCG) TPM2 Software Stack (TSS). The vulnerability exists in the JSON Quote Info deserialization process where Fapi_VerifyQuote deserializes data to the TPM Structure TPMS_ATTEST. A critical flaw allows any arbitrary number to be used for the TPM2_GENERATED magic field in the JSON structure, enabling an attacker to bypass proper verification of TPM attestation quotes.
This vulnerability undermines the integrity of TPM-based attestation mechanisms, which are fundamental to establishing hardware-rooted trust in computing systems. A malicious device could present a falsified state that does not reflect its actual, potentially compromised condition.
Critical Impact
Malicious devices can bypass TPM attestation verification, potentially gaining unauthorized access to protected data or services by presenting a falsified trustworthy state.
Affected Products
- TPM2 Software Stack (tpm2-tss) versions prior to 4.1.0
- Systems using Fapi_Quote and Fapi_VerifyQuote functions for TPM attestation
- Linux distributions with vulnerable tpm2-tss packages (including Fedora)
Discovery Timeline
- 2024-06-28 - CVE-2024-29040 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-29040
Vulnerability Analysis
The vulnerability resides in the Feature API (FAPI) layer of the TPM2 Software Stack, specifically in how JSON-formatted attestation quotes are processed. When a TPM generates an attestation quote via Fapi_Quote, the result includes a TPMS_ATTEST structure containing a magic number (TPM2_GENERATED) that should verify the quote was genuinely produced by a TPM.
During the verification process in Fapi_VerifyQuote, the JSON representation of this quote must be deserialized back into the native TPM structure. The flaw occurs because the deserialization logic fails to properly validate the TPM2_GENERATED magic field, accepting any arbitrary value instead of enforcing the expected constant that proves TPM authenticity.
This weakness allows an attacker controlling a malicious device to craft a JSON quote with fabricated attestation data, effectively fooling the verifier into accepting a device state that was never actually measured or attested by the TPM hardware.
Root Cause
The root cause is classified as CWE-502 (Deserialization of Untrusted Data). The Fapi_VerifyQuote function lacks proper validation of the magic field constant during JSON deserialization. The implementation trusts the incoming JSON structure without verifying that the TPM2_GENERATED magic field contains the correct TPM-specified constant value (0xFF544347), allowing arbitrary values to pass through undetected.
Attack Vector
This vulnerability requires local access to exploit. An attacker with control of a device being attested can manipulate the JSON quote data before it reaches the verifier. The attack scenario involves:
- A malicious device intercepts or generates the attestation quote response
- The attacker modifies the JSON representation to include falsified Platform Configuration Register (PCR) values or other attestation data
- The manipulated JSON is crafted with an arbitrary magic field value
- The verifier's Fapi_VerifyQuote function deserializes the JSON without validating the magic constant
- The verifier incorrectly accepts the falsified attestation as legitimate
The vulnerability exploits the trust boundary between the TPM attestation generation and verification components, where the verifier fails to enforce cryptographic validation of the magic field that should authenticate TPM-originated data.
Detection Methods for CVE-2024-29040
Indicators of Compromise
- Unexpected or anomalous attestation quote responses containing non-standard magic field values
- JSON attestation data with TPM2_GENERATED magic values that differ from the expected 0xFF544347 constant
- Discrepancies between expected device states and attestation reports from devices under test
- Failed integrity checks following successful attestation verification (indicating falsified attestation)
Detection Strategies
- Implement secondary validation of the TPM2_GENERATED magic field in attestation verification workflows
- Monitor and log all attestation quote operations, flagging any with unexpected magic field values
- Deploy application-level logging around Fapi_Quote and Fapi_VerifyQuote function calls
- Use version detection to identify systems running tpm2-tss versions prior to 4.1.0
Monitoring Recommendations
- Audit systems utilizing TPM attestation services for vulnerable tpm2-tss library versions
- Implement integrity monitoring for TPM-related configuration and library files
- Establish baseline attestation behaviors and alert on deviations from expected patterns
- Review attestation verification logs for any historical acceptance of non-compliant quotes
How to Mitigate CVE-2024-29040
Immediate Actions Required
- Upgrade tpm2-tss to version 4.1.0 or later immediately on all affected systems
- Review any attestation decisions made with vulnerable library versions for potential compromise
- Audit devices that have undergone attestation verification during the vulnerable window
- Consider re-attesting all devices that were verified using vulnerable tpm2-tss versions
Patch Information
The vulnerability has been patched in tpm2-tss version 4.1.0. The fix implements proper validation of the TPM2_GENERATED magic field during JSON deserialization in Fapi_VerifyQuote, ensuring only legitimately TPM-generated attestation quotes are accepted.
For detailed patch information, refer to the GitHub Release 4.1.0 and the GitHub Security Advisory.
Fedora users should apply the latest package updates as announced in the Fedora Package Announcements.
Workarounds
- Implement additional application-level validation of the TPM2_GENERATED magic field before trusting attestation results
- Use direct TPM verification methods that bypass the vulnerable FAPI JSON deserialization path where possible
- Restrict network access to attestation services to minimize exposure until patching is complete
- Consider disabling attestation-dependent services temporarily if immediate patching is not feasible
# Check current tpm2-tss version
tpm2_getcap -v
# On Fedora/RHEL-based systems, update to patched version
sudo dnf update tpm2-tss
# On Debian/Ubuntu-based systems
sudo apt update && sudo apt install tpm2-tss
# Verify updated version (should be 4.1.0 or later)
tpm2_getcap -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
