powershell CD-TPM-ADV170012

Posted 2021-05-22

EXTERNAL APPLICATION
exe=powershell.exe
args=-executionpolicy bypass %filename%
filename=CD-TPM-ADV170012.ps1

<#
echo off
echo "Vulscan logs all standard output.  It looks for the special strings detected, reason, expected, and found"
echo "If 'detected' is not found, then vulscan uses the return value to determine detected (non-zero means detected)."
echo "the core name is %corename%"
echo "the local cache directory location: %sdmcache%"
echo "detected=true"
echo "reason=Powershell script was run"
echo "expected=some script logic to run"
echo "found=nothing of consequence"
#>


$IfxManufacturerIdInt = 0x49465800 # 'IFX'
		
		function IsInfineonFirmwareVersionAffectedRiemann ($FirmwareVersion)
		{
			$FirmwareMajor = $FirmwareVersion[0]
			$FirmwareMinor = $FirmwareVersion[1]
			switch ($FirmwareMajor)
			{
				4 { return $FirmwareMinor -le 33 -or ($FirmwareMinor -ge 40 -and $FirmwareMinor -le 42) }
				5 { return $FirmwareMinor -le 61 }
				6 { return $FirmwareMinor -le 42 }
				7 { return $FirmwareMinor -le 61 }
				133 { return $FirmwareMinor -le 32 }
				default { return $False }
			}
		}
		
		function IsInfineonFirmwareVersionRiemannSusceptible ($FirmwareMajor)
		{
			switch ($FirmwareMajor)
			{
				4 { return $True }
				5 { return $True }
				6 { return $True }
				7 { return $True }
				133 { return $True }
				default { return $False }
			}
		}
		
		$Tpm = Get-Tpm
		$ManufacturerIdInt = $Tpm.ManufacturerId
		$FirmwareVersion = $Tpm.ManufacturerVersion -split "\."
		$FirmwareVersionAtLastProvision = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\TPM\WMI" -Name "FirmwareVersionAtLastProvision" -ErrorAction SilentlyContinue).FirmwareVersionAtLastProvision
		
		if (!$Tpm)
		{
			Write-Host "No TPM found on this system, so the issue does not apply here."
			Write-Host "detected=false"
			Write-Host "reason=Powershell script did not find a TPM"
		}
		else
		{
			if ($ManufacturerIdInt -ne $IfxManufacturerIdInt)
			{
				Write-Host "This non-Infineon TPM is not affected by the Riemann issue."
				Write-Host "detected=false"
				Write-Host "reason=Powershell script found a non-inferion TPM"
			}
			else
			{
				if ($FirmwareVersion.Length -lt 2)
				{
					Write-Error "Could not get TPM firmware version from this TPM."
					Write-Host "detected=true"
					Write-Host "reason=Powershell script could not get the firmware version from the TPM"
				}
				else
				{
					if (IsInfineonFirmwareVersionRiemannSusceptible($FirmwareVersion[0]))
					{
						if (IsInfineonFirmwareVersionAffectedRiemann($FirmwareVersion))
						{
							Write-Host ("This Infineon firmware version {0}.{1} TPM is not safe. Please update your firmware." -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
							Write-Host "detected=true"
							Write-Host "reason=Powershell detected an affected TPM firmware version"
							Write-Host ("found={0}.{1}" -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
						}
						else
						{
							Write-Host ("This Infineon firmware version {0}.{1} TPM is safe." -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
							Write-Host "detected=false"
							Write-Host "reason=Powershell script detected a safe TPM firmware version"
							Write-Host ("found={0}.{1}" -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])

							if (!$FirmwareVersionAtLastProvision)
							{
								Write-Host ("We cannot determine what the firmware version was when the TPM was last cleared. Please clear your TPM now that the firmware is safe.")
								Write-Host "detected=true"
								Write-Host "reason=Powershell cannot determine what the firmware version was when the TPM was last cleared. Please clear your TPM."
							}
							elseif ($FirmwareVersion -ne $FirmwareVersionAtLastProvision)
							{
								Write-Host ("The firmware version when the TPM was last cleared was different from the current firmware version. Please clear your TPM now that the firmware is safe.")
								Write-Host "detected=true"
								Write-Host "reason=Powershell determined the firmware version when the TPM was last cleared was different from the current firmware version. Please clear your TPM."
							}
						}
					}
					else
					{
						Write-Host ("This Infineon firmware version {0}.{1} TPM is safe." -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
						Write-Host "detected=false"
						Write-Host "reason=Powershell detected a safe Infineon TPM firmware version"
						Write-Host ("found={0}.{1}" -f [int]$FirmwareVersion[0], [int]$FirmwareVersion[1])
					}
				}
			}
		}