├── .gitattributes ├── LICENSE.md ├── linux ├── Detect-CVE-2017-15361-TPM.audit └── Detect-CVE-2017-15361-TPM.sh ├── CONTRIBUTING.md ├── windows ├── Detect-CVE-2017-15361-TPM.ps1 ├── Detect-CVE-2017-15361-TPM.audit └── GenerateWindowsNessusAuditFile.ps1 ├── DISCLAIMER.md └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # leave line endings as is and don't convert 2 | * -text 3 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | This Work was prepared by a United States Government employee and, therefore, is excluded from copyright by Section 105 of the Copyright Act of 1976. 2 | 3 | Copyright and Related Rights in the Work worldwide are waived through the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode). -------------------------------------------------------------------------------- /linux/Detect-CVE-2017-15361-TPM.audit: -------------------------------------------------------------------------------- 1 | 2 | 3 | system: "Linux" 4 | type : CMD_EXEC 5 | description : "Detects enabled TPMs vulnerable to CVE-2017-15361" 6 | cmd : "export B=/sys/class/tpm/tpm0/device/caps; ( egrep 'Manufacturer\\s*:\\s*0x49465800$' -s -q $B && egrep 'Firmware\\ version:\\s*+4\\.([12]?[0-9]\\.|3[0-3]\\.|4[0-2]\\.)|\\s5\\.([1-5]?[0-9]\\.|6[01]\\.)|\\s6\\.([1-3]?[0-9]\\.|4[012]\\.)|\\s7\\.([1-5]?[0-9]\\.|6[01]\\.)|\\s133\\.([12]?[0-9]\\.|3[0-2]\\.)|\\s149\\.([12]?[0-9]\\.|3[0-2]\\.)' -q $B ) || echo -n GOOD" 7 | expect : ".*GOOD" 8 | 9 | 10 | 11 | 12 | 13 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | All contributions to this project will be released as follows: 2 | 3 | 1. If you are a U.S. government employee, then your changes are exempt from copyright in the U.S. and will be released under the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode) worldwide. 4 | 1. If you are a not a U.S. government employee, then your changes will be released under the [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/) [Universal license](https://creativecommons.org/publicdomain/zero/1.0/legalcode) in the U.S. and worldwide. 5 | 6 | By submitting a pull request, you are agreeing to comply with this waiver of copyright interest. -------------------------------------------------------------------------------- /windows/Detect-CVE-2017-15361-TPM.ps1: -------------------------------------------------------------------------------- 1 | Set-StrictMode -Version 2 2 | 3 | Function Test-CVE201715361TPM { 4 | <# 5 | .SYNOPSIS 6 | Tests if a Windows system has an enabled Trusted Platform Module (TPM) that is vulnerable to CVE-2017-15361. 7 | 8 | .DESCRIPTION 9 | Tests if a Windows system has an enabled Trusted Platform Module (TPM) that is vulnerable to CVE-2017-15361. Requiures PowerShell 2.0 or later. Must be run with administrator privileges. 10 | 11 | .EXAMPLE 12 | Test-CVE201715361TPM 13 | #> 14 | [CmdletBinding()] 15 | Param() 16 | 17 | $vulnerable = $false 18 | 19 | $tpm = $null 20 | 21 | try { 22 | $tpm = Get-WmiObject -Class 'Win32_TPM' -Namespace 'root/cimv2/Security/MicrosoftTPM' -ErrorAction SilentlyContinue 23 | } catch {} 24 | 25 | if ($tpm -ne $null) { 26 | if($tpm.ManufacturerId -eq 0x49465800) { 27 | if ($tpm.ManufacturerVersion.Length -ge 3) { 28 | $version = [System.Version]$tpm.ManufacturerVersion 29 | 30 | switch ($version.Major) { 31 | 4 {$vulnerable = ($version.Minor -le 33 -or @(40..42) -contains $version.Minor);break} 32 | 5 {$vulnerable = ($version.Minor -le 61);break} 33 | 6 {$vulnerable = ($version.Minor -le 42);break} 34 | 7 {$vulnerable = ($version.Minor -le 61);break} 35 | 133 {$vulnerable = ($version.Minor -le 32);break} 36 | 149 {$vulnerable = ($version.Minor -le 32);break} 37 | default {$vulnerable = $false;break} 38 | } 39 | } 40 | } 41 | } 42 | $vulnerable 43 | } 44 | 45 | Test-CVE201715361TPM -------------------------------------------------------------------------------- /DISCLAIMER.md: -------------------------------------------------------------------------------- 1 | ## Disclaimer of Warranty 2 | This Work is provided "as is". Any express or implied warranties, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the United States Government be liable for any direct, indirect, incidental, special, exemplary or consequential damages (including, but not limited to, procurement of substitute goods or services, loss of use, data or profits, or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this Work, even if advised of the possibility of such damage. 3 | 4 | The User of this Work agrees to hold harmless and indemnify the United States Government, its agents and employees from every claim or liability (whether in tort or in contract), including attorneys' fees, court costs, and expenses, arising in direct consequence of Recipient's use of the item, including but not limited to, claims or liabilities made for injury to or death of personnel of User or third parties, damage to or destruction of property of User or third parties, infringement or other violations of intellectual property or technical data rights. 5 | 6 | Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the United States Government of any particular manufacturer's product or service. 7 | 8 | ## Disclaimer of Endorsement 9 | Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Detect Trusted Platform Modules Vulnerable to CVE-2017-15361 2 | This repository provides content for aiding DoD administrators in detecting systems that have an enabled Trusted Platform Module (TPM) that is vulnerable to CVE-2017-15361 and is a companion to Information Assurance Advisory [RSA Key Generation Vulnerability Affecting Trusted Platform Modules](https://www.iad.gov/iad/library/ia-advisories-alerts/rsa-key-generation-vulnerability-affecting-trusted-platform.cfm). The files in this repository can be downloaded as a zip file [here](https://github.com/nsacyber/Detect-CVE-2017-15361-TPM/archive/master.zip). 3 | 4 | The main files of interest in the repository include: 5 | * [windows/Detect-CVE-2017-15361-TPM.audit](windows/Detect-CVE-2017-15361-TPM.audit) - a custom Nessus audit file useful for DoD administrators who want to scan Windows systems on their network with Nessus (acquire via the [ACAS](https://www.disa.mil/cybersecurity/network-defense/acas) program). TPM 1.2 and TPM 2.0 devices are supported. 6 | * [windows/Detect-CVE-2017-15361-TPM.ps1](windows/Detect-CVE-2017-15361-TPM.ps1) - a PowerShell script useful for DoD administrators who want to locally test a single, standalone system. TPM 1.2 and TPM 2.0 devices are supported. 7 | * [linux/Detect-CVE-2017-15361-TPM.audit](linux/Detect-CVE-2017-15361-TPM.audit) - a custom Nessus audit file useful for DoD administrators who want to scan Linux systems on their network with Nessus (acquire via the [ACAS](https://www.disa.mil/cybersecurity/network-defense/acas) program). Only TPM 1.2 devices are supported. 8 | * [linux/Detect-CVE-2017-15361-TPM.sh](linux/Detect-CVE-2017-15361-TPM.sh) - a bash script useful for DoD users who want to locally test a single, standalone Linux system. Only TPM 1.2 devices are supported. 9 | 10 | 11 | 12 | Support files in the repository include: 13 | * [GenerateWindowsNessusAuditFile.ps1](windows/GenerateWindowsNessusAuditFile.ps1) - a PowerShell script that generates the Detect-CVE-2017-15361-TPM.audit file for Windows based on code in the Detect-CVE-2017-15361-TPM.ps1 file. 14 | 15 | Infineon TPM firmware versions affected: 16 | * 4.0 - 4.33 17 | * 4.4 - 4.42 18 | * 5.0 - 5.61 19 | * 6.0 - 6.42 20 | * 7.0 - 7.61 21 | * 133.0 - 133.32 22 | * 149.0 - 149.32 23 | 24 | ## Links 25 | Original research identifying the issue: 26 | * https://crocs.fi.muni.cz/public/papers/rsa_ccs17 27 | 28 | More information about the vulnerability: 29 | * https://www.kb.cert.org/vuls/id/307015 30 | * https://www.infineon.com/cms/en/product/promopages/rsa-update/ 31 | * https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background 32 | * https://www.infineon.com/cms/en/product/promopages/tpm-update/ 33 | 34 | More information on operating system patches and TPM firmware updates: 35 | * https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012 36 | * https://us.answers.acer.com/app/answers/detail/a_id/51137 37 | * http://www.fujitsu.com/global/support/products/software/security/products-f/ifsa-201701e.html 38 | * https://support.hp.com/us-en/document/c05792935 39 | * https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en_us 40 | * https://support.lenovo.com/us/en/product_security/LEN-15552 41 | * https://support.toshiba.com/sscontent?contentId=4015874 42 | * https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update 43 | 44 | More information about other devices that are affected: 45 | * https://www.yubico.com/support/security-advisories/ysa-2017-01/ 46 | * https://safenet.gemalto.com/technical-support/security-updates and https://gemalto.service-now.com/csm?id=kb_article&sys_id=19a55bdf4fb907c0873b69d18110c768 47 | 48 | Tools for checking if your RSA key is affected: 49 | * https://github.com/crocs-muni/roca 50 | * https://keychest.net/roca 51 | * https://keytester.cryptosense.com/ 52 | * https://www.tenable.com/plugins/index.php?view=single&id=103864 53 | 54 | ## License 55 | See [LICENSE](./LICENSE.md). 56 | 57 | ## Disclaimer 58 | See [DISCLAIMER](./DISCLAIMER.md). 59 | -------------------------------------------------------------------------------- /windows/Detect-CVE-2017-15361-TPM.audit: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | type: AUDIT_POWERSHELL 5 | description: "Detects Windows systems that have an enabled Trusted Platform Module (TPM) that is vulnerable to CVE-2017-15361 aka Return of Coppersmith's Attack (ROCA) aka Infineon RSA key generation vulnerability. Requires that PowerShell 2.0 is installed on the systems that are scanned. Tested on Windows 7 and later." 6 | info: " 7 | See the following web sites for more information about the vulnerability: 8 | 9 | https://www.kb.cert.org/vuls/id/307015 10 | https://www.infineon.com/cms/en/product/promopages/rsa-update/ 11 | https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background 12 | https://www.infineon.com/cms/en/product/promopages/tpm-update/ 13 | 14 | See the following web sites for more information on operating system patches and TPM firmware updates: 15 | 16 | https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012 17 | https://us.answers.acer.com/app/answers/detail/a_id/51137 18 | http://www.fujitsu.com/global/support/products/software/security/products-f/ifsa-201701e.html 19 | https://support.hp.com/us-en/document/c05792935 20 | https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en_us 21 | https://support.lenovo.com/us/en/product_security/LEN-15552 22 | https://support.toshiba.com/sscontent?contentId=4015874 23 | " 24 | value_type: POLICY_TEXT 25 | value_data: "False" 26 | check_type: CHECK_EQUAL 27 | powershell_args: "JAB2AHUAbABuAGUAcgBhAGIAbABlACAAPQAgACQAZgBhAGwAcwBlAA0ACgAkAHQAcABtACAAPQAgACQAbgB1AGwAbAANAAoAdAByAHkAIAB7AA0ACgAkAHQAcABtACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAEMAbABhAHMAcwAgACcAVwBpAG4AMwAyAF8AVABQAE0AJwAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAAnAHIAbwBvAHQALwBjAGkAbQB2ADIALwBTAGUAYwB1AHIAaQB0AHkALwBNAGkAYwByAG8AcwBvAGYAdABUAFAATQAnACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlAA0ACgB9ACAAYwBhAHQAYwBoACAAewB9AA0ACgBpAGYAIAAoACQAdABwAG0AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewANAAoAaQBmACgAJAB0AHAAbQAuAE0AYQBuAHUAZgBhAGMAdAB1AHIAZQByAEkAZAAgAC0AZQBxACAAMAB4ADQAOQA0ADYANQA4ADAAMAApACAAewANAAoAaQBmACAAKAAkAHQAcABtAC4ATQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIAVgBlAHIAcwBpAG8AbgAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAzACkAIAB7AA0ACgAkAHYAZQByAHMAaQBvAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFYAZQByAHMAaQBvAG4AXQAkAHQAcABtAC4ATQBhAG4AdQBmAGEAYwB0AHUAcgBlAHIAVgBlAHIAcwBpAG8AbgANAAoAcwB3AGkAdABjAGgAIAAoACQAdgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgApACAAewANAAoANAAgAHsAJAB2AHUAbABuAGUAcgBhAGIAbABlACAAPQAgACgAJAB2AGUAcgBzAGkAbwBuAC4ATQBpAG4AbwByACAALQBsAGUAIAAzADMAIAAtAG8AcgAgAEAAKAA0ADAALgAuADQAMgApACAALQBjAG8AbgB0AGEAaQBuAHMAIAAkAHYAZQByAHMAaQBvAG4ALgBNAGkAbgBvAHIAKQA7AGIAcgBlAGEAawB9AA0ACgA1ACAAewAkAHYAdQBsAG4AZQByAGEAYgBsAGUAIAA9ACAAKAAkAHYAZQByAHMAaQBvAG4ALgBNAGkAbgBvAHIAIAAtAGwAZQAgADYAMQApADsAYgByAGUAYQBrAH0ADQAKADYAIAB7ACQAdgB1AGwAbgBlAHIAYQBiAGwAZQAgAD0AIAAoACQAdgBlAHIAcwBpAG8AbgAuAE0AaQBuAG8AcgAgAC0AbABlACAANAAyACkAOwBiAHIAZQBhAGsAfQANAAoANwAgAHsAJAB2AHUAbABuAGUAcgBhAGIAbABlACAAPQAgACgAJAB2AGUAcgBzAGkAbwBuAC4ATQBpAG4AbwByACAALQBsAGUAIAA2ADEAKQA7AGIAcgBlAGEAawB9AA0ACgAxADMAMwAgAHsAJAB2AHUAbABuAGUAcgBhAGIAbABlACAAPQAgACgAJAB2AGUAcgBzAGkAbwBuAC4ATQBpAG4AbwByACAALQBsAGUAIAAzADIAKQA7AGIAcgBlAGEAawB9AA0ACgAxADQAOQAgAHsAJAB2AHUAbABuAGUAcgBhAGIAbABlACAAPQAgACgAJAB2AGUAcgBzAGkAbwBuAC4ATQBpAG4AbwByACAALQBsAGUAIAAzADIAKQA7AGIAcgBlAGEAawB9AA0ACgBkAGUAZgBhAHUAbAB0ACAAewAkAHYAdQBsAG4AZQByAGEAYgBsAGUAIAA9ACAAJABmAGEAbABzAGUAOwBiAHIAZQBhAGsAfQANAAoAfQANAAoAfQANAAoAfQANAAoAfQANAAoAJAB2AHUAbABuAGUAcgBhAGIAbABlAA==" 28 | ps_encoded_args: YES 29 | only_show_cmd_output: NO 30 | severity: HIGH 31 | 32 | 33 | -------------------------------------------------------------------------------- /linux/Detect-CVE-2017-15361-TPM.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #================================================================================= 3 | #= 4 | #= FILE: Detect-CVE-2017-15361-TPM.sh 5 | #= 6 | # 7 | #### 8 | # Below is the description in markdown. It is used as input to generate roff section that is at the end of this file 9 | # I use 10 | # awk '/# BEGIN INPUT DOCUMENTATION/{flag=1;next} /# END INPUT DOCUMENTATION/{flag=0} flag {print}' Detect-CVE-2017-15361-TPM.sh | cut -b 3- | ronn -r 11 | # BEGIN INPUT DOCUMENTATION 12 | # 13 | #=Detect-CVE-2017-15361-TPM.sh -- A tester for CVE-2017-15361 14 | #======================================== 15 | #= 16 | #=SYNOPSIS 17 | #=-------- 18 | #=`Detect-CVE-2017-15361-TPM.sh` 19 | #= --help|-h|help 20 | #= 21 | #=DESCRIPTION 22 | #=----------- 23 | #= 24 | #=`Detect-CVE-2017-15361-TPM.sh` is a utility to test whether the current system 25 | #= is vulnerable to CVE-2017-15361. Only TPM 1.2 devices are supported. 26 | #= To use the utility, run without the help options. 27 | #= 28 | #=OPTIONS 29 | #=------- 30 | #=* `--help`, `-h`: 31 | #= Prints this help message 32 | #= 33 | #=REFERENCES 34 | #=---------- 35 | #=*https://cve-mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361 36 | # END INPUT DOCUMENTATION 37 | 38 | 39 | if [ "$1" == '-h' ] || [ "$1" == "--help" ]; then 40 | ME="$(which $0)" # Find me 41 | NUM=$(grep -n '^ #BEGIN DOCUMENTATION' $ME | awk -F: '{print $1}') 42 | NUM=$(expr $NUM + 1) 43 | tail --lines=+$NUM $ME | man -l - 44 | exit 0; 45 | fi 46 | 47 | 48 | if [ ! -r ${1:-/sys/class/tpm/tpm0/device/caps} ]; then 49 | echo "Could not find the TPM information file." 50 | echo "The TPM driver is probably not installed." 51 | exit 1; 52 | fi 53 | 54 | MSG=$( 55 | ( 56 | # Put the results of tpm_version (which seem like key/value pair) 57 | # into bash associative array. 58 | declare -A infomap=() 59 | while read line; do 60 | # Get tag 61 | tag=${line%%:*} 62 | # Remove all spaces 63 | tag=${tag//[[:blank:]]} 64 | infomap[${tag}]=$(echo ${line#*:}) 65 | done 66 | 67 | if [ "${infomap[Manufacturer]}" == "" ]; then 68 | echo UNKNOWN 69 | exit 0; 70 | fi 71 | if [ "${infomap[Manufacturer]}" != "0x49465800" ]; then 72 | echo NOTINFIN 73 | exit 0; 74 | fi 75 | # Split on dot(.) and put values in array 76 | IFS='.' read -ra chipVer <<< ${infomap[Firmwareversion]} 77 | 78 | case ${chipVer[0]} in 79 | 4) 80 | if [ ${chipVer[1]} -le 33 ] || 81 | [ ${chipVer[1]} == 40 ] || 82 | [ ${chipVer[1]} == 41 ] || 83 | [ ${chipVer[1]} == 42 ] ; then 84 | echo VULN 85 | exit 0 86 | fi 87 | ;; 88 | 89 | 5) 90 | if [ ${chipVer[1]} -le 61 ]; then 91 | echo VULN 92 | exit 0 93 | fi 94 | ;; 95 | 96 | 6) 97 | if [ ${chipVer[1]} -le 42 ]; then 98 | echo VULN 99 | exit 0 100 | fi 101 | ;; 102 | 103 | 7) 104 | if [ ${chipVer[1]} -le 61 ]; then 105 | echo VULN 106 | exit 0 107 | 108 | fi 109 | ;; 110 | 133) 111 | if [ ${chipVer[1]} -le 32 ]; then 112 | echo VULN 113 | exit 0 114 | fi 115 | ;; 116 | 117 | 149) 118 | if [ ${chipVer[1]} -le 32 ]; then 119 | echo VULN 120 | exit 0 121 | fi 122 | ;; 123 | 124 | default) 125 | ;; 126 | esac 127 | echo GOOD 128 | exit 0 129 | ) < ${1:-/sys/class/tpm/tpm0/device/caps} 130 | ) 131 | 132 | 133 | if [ "$MSG" == VULN ]; then 134 | echo "This firmware *IS* vulnerable. Please upgrade as soon as possible." 135 | elif [ "$MSG" == NOTINFIN ]; then 136 | echo "This firmware is not Infineon and therefore not vulnerable to CVE-2017-15361." 137 | elif [ "$MSG" == GOOD ]; then 138 | echo "This firmware is not vulnerable to CVE-2017-15361" 139 | exit 0 140 | elif [ "$MSG" == UNKNOWN ]; then 141 | echo "Could not determine the firmware type. Please ensure 'tcsd' is running." 142 | else 143 | echo "Unexpected error." 144 | fi 145 | 146 | exit 1 147 | 148 | 149 | ############################################################# 150 | #BEGIN DOCUMENTATION 151 | .\" generated with Ronn/v0.7.3 152 | .\" http://github.com/rtomayko/ronn/tree/0.7.3 153 | . 154 | .TH "DETECT\-CVE\-2017\-15361\-TPM\.SH" "" "October 2017" "" "" 155 | . 156 | .SH "NAME" 157 | \fBDetect\-CVE\-2017\-15361\-TPM\.sh\fR \- A tester for CVE\-2017\-15361 158 | . 159 | .SH "SYNOPSIS" 160 | \fBDetect\-CVE\-2017\-15361\-TPM\.sh\fR \-\-help|\-h|help 161 | . 162 | .SH "DESCRIPTION" 163 | \fBDetect\-CVE\-2017\-15361\-TPM\.sh\fR is a utility to test whether the current system is vulnerable to CVE\-2017\-15361\. Only TPM 1\.2 devices are supported\. To use the utility, run without the help options\. 164 | . 165 | .SH "OPTIONS" 166 | . 167 | .TP 168 | \fB\-\-help\fR, \fB\-h\fR 169 | Prints this help message 170 | . 171 | .SH "REFERENCES" 172 | *https://cve\-mitre\.org/cgi\-bin/cvename\.cgi?name=CVE\-2017\-15361 173 | -------------------------------------------------------------------------------- /windows/GenerateWindowsNessusAuditFile.ps1: -------------------------------------------------------------------------------- 1 | Set-StrictMode -Version 4 2 | 3 | Function Get-CondensedScriptBlock() { 4 | <# 5 | .SYNOPSIS 6 | Gets a condensed verison of a script block. 7 | 8 | .DESCRIPTION 9 | Gets a trimmed and condensed version of a script block so it is in its smallest executable form. 10 | 11 | .EXAMPLE 12 | Get-CondensedScriptBlock -ScriptBlock $block 13 | #> 14 | [OutputType([ScriptBlock])] 15 | [CmdletBinding()] 16 | Param( 17 | [Parameter(Mandatory=$true, HelpMessage='PowerShell code script block')] 18 | [ValidateNotNullOrEmpty()] 19 | [ScriptBlock]$ScriptBlock 20 | ) 21 | 22 | $lines = $ScriptBlock.ToString() -split "`r`n" 23 | $scriptText = [string[]]@($lines | ForEach-Object { $line = $_.Trim(); if($line -ne ''){$line} } ) -join "`r`n" 24 | 25 | # todo parse statements and flatten into one liner by separating statements with a semicolon 26 | #$ast = [Management.Automation.Language.Parser]::ParseInput($scriptText, [ref]$tokens, [ref]$errors) 27 | 28 | $scriptBlock = [ScriptBlock]::Create($scriptText) 29 | 30 | return $scriptBlock 31 | } 32 | 33 | Function Get-ScriptBlock() { 34 | <# 35 | .SYNOPSIS 36 | Gets a script block from a function body in a script file. 37 | 38 | .DESCRIPTION 39 | Gets a script block from a function body in a script file. 40 | 41 | .EXAMPLE 42 | Get-ScriptBlock -Path '.\Detect-CVE-2017-15361-TPM.ps1' -FunctionName 'Test-CVE201715361TPM' 43 | #> 44 | [OutputType([ScriptBlock])] 45 | [CmdletBinding()] 46 | Param( 47 | [Parameter(Mandatory=$true, HelpMessage='The name of the function')] 48 | [ValidateNotNullOrEmpty()] 49 | [string]$FunctionName, 50 | 51 | [Parameter(Mandatory=$true, HelpMessage='The path to file containing the PowerShell function')] 52 | [ValidateNotNullOrEmpty()] 53 | [string]$Path 54 | ) 55 | 56 | $scriptBlock = $null 57 | 58 | $Path = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($Path) 59 | 60 | if (Test-Path -Path $Path -PathType Leaf) { 61 | $tokens = $null 62 | $errors = $null 63 | 64 | $ast = [Management.Automation.Language.Parser]::ParseFile($Path, [ref]$tokens, [ref]$errors) 65 | $functionDefinition = $ast.Find({ $args[0] -is [System.Management.Automation.Language.FunctionDefinitionAst] -and $args[0].Name -eq $FunctionName }, $true) 66 | 67 | if ($functionDefinition -ne $null) { 68 | $functionBody = $functionDefinition.Body 69 | $functionBodyText = $functionBody.Extent.Text 70 | $functionBodyText = $functionBodyText.Trim('{','}') # function start and end brackets 71 | $functionBodyLength = $functionBodyText.Length 72 | $paramBlock = $functionBody.Find({ $args[0] -is [Management.Automation.Language.ParamBlockAst] }, $true) 73 | $paramBlockText = $paramBlock.Extent.Text 74 | $paramBlockLength = $paramBlockText.Length 75 | $paramBlockIndex = $functionBodyText.IndexOf($paramBlockText) 76 | $scriptText = ($functionBodyText[($paramBlockIndex+$paramBlockLength)..($functionBodyLength-1)] -join '').Trim() 77 | $scriptBlock = [ScriptBlock]::Create($scriptText) 78 | } else { 79 | throw "function $FunctionName was not found in $Path" 80 | } 81 | } else { 82 | throw "$Path not found" 83 | } 84 | return $scriptBlock 85 | } 86 | 87 | Function New-NessusAuditFile() { 88 | <# 89 | .SYNOPSIS 90 | Generates a new Nessus audit file based on a script file and function name. 91 | 92 | .DESCRIPTION 93 | Generates a new Nessus audit file based on a script file and function name. 94 | 95 | .EXAMPLE 96 | Get-ScriptBlock -Path '.\Detect-CVE-2017-15361-TPM.ps1' -FunctionName 'Test-CVE201715361TPM' 97 | #> 98 | [OutputType([void])] 99 | [CmdletBinding()] 100 | Param( 101 | [Parameter(Mandatory=$true, HelpMessage='PowerShell code script block')] 102 | [ValidateNotNullOrEmpty()] 103 | [ScriptBlock]$ScriptBlock, 104 | 105 | [Parameter(Mandatory=$true, HelpMessage='The path to save the Nessus audit file to')] 106 | [ValidateNotNullOrEmpty()] 107 | [string]$Path 108 | ) 109 | 110 | $template = @' 111 | 112 | 113 | 114 | type: AUDIT_POWERSHELL 115 | description: "Detects Windows systems that have an enabled Trusted Platform Module (TPM) that is vulnerable to CVE-2017-15361 aka Return of Coppersmith's Attack (ROCA) aka Infineon RSA key generation vulnerability. Requires that PowerShell 2.0 is installed on the systems that are scanned. Tested on Windows 7 and later." 116 | info: " 117 | See the following web sites for more information about the vulnerability: 118 | 119 | https://www.kb.cert.org/vuls/id/307015 120 | https://www.infineon.com/cms/en/product/promopages/rsa-update/ 121 | https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background 122 | https://www.infineon.com/cms/en/product/promopages/tpm-update/ 123 | 124 | See the following web sites for more information on operating system patches and TPM firmware updates: 125 | 126 | https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012 127 | https://us.answers.acer.com/app/answers/detail/a_id/51137 128 | http://www.fujitsu.com/global/support/products/software/security/products-f/ifsa-201701e.html 129 | https://support.hp.com/us-en/document/c05792935 130 | https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03789en_us 131 | https://support.lenovo.com/us/en/product_security/LEN-15552 132 | https://support.toshiba.com/sscontent?contentId=4015874 133 | " 134 | value_type: POLICY_TEXT 135 | value_data: "False" 136 | check_type: CHECK_EQUAL 137 | powershell_args: "{0}" 138 | ps_encoded_args: YES 139 | only_show_cmd_output: NO 140 | severity: HIGH 141 | 142 | 143 | 144 | '@ 145 | 146 | $Path = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($Path) 147 | 148 | $encoded = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($ScriptBlock)) 149 | 150 | if($encoded.Length -gt 8192) { 151 | throw ("Encoded script block length of {0} was larger than the allowed maximum of 8192" -f $encoded.Length) 152 | } 153 | 154 | $template -f $encoded | Out-File -FilePath $Path -Encoding ascii -Force -NoNewline 155 | } 156 | 157 | $block = Get-ScriptBlock -Path '.\Detect-CVE-2017-15361-TPM.ps1' -FunctionName 'Test-CVE201715361TPM' 158 | $block = Get-CondensedScriptBlock $block 159 | New-NessusAuditFile -Path '.\Detect-CVE-2017-15361-TPM.audit' -ScriptBlock $block --------------------------------------------------------------------------------