Chaotic Eclipse posted the following with the disclosure of Yellowkey:
Second thing is, No, TPM+PIN does not help, the issue is still exploitable regardless, I asked myself this question, can it still work in a TPM+PIN environment ? Yes it does, I’m just not publishing the PoC, I think what’s out there is already bad enough.
Additional info:
The YellowKey is caused by the binary “autofstx.exe” which propagates all present volumes for transaction files, a researcher (unsure if they want to be named) told me that this binary is also present in windows update WinRE images and I think they will definitely have the same vulnerability as well. However, I’m unsure if it’s possible to trigger the controlled file deletion when windows is updating. If it’s true, then it means disabling WinRE is not a solution for the problem, which also means it’s a good thing that I kept the PIN+TPM PoC a secret.
Would you happen to have a source link for those claims? I’d like to forward them to a few organisations I work with, warning them that devices currently lost/stolen/left unsupervised despite having TPM+PIN configured will have to be considered compromised even if a future patch comes out.
it’s the second link, https://deadeclipse666.blogspot.com/ - The entry is from May 13, titled “We’re doing silent patches now huh, also a quick note about YellowKey”, the second part is from May 14, titled “Important updates regarding YellowKey and GreenPlasma”. They are the one who found the vulnerabilities, PoC for RedSun, BlueHammer, YellowKey, GreenPlasma and MiniPlasma are on GitHub @ https://github.com/Nightmare-Eclipse
Thank you - it appears I stopped reading just one comment short of that, assuming that the “TPM+PIN is insecure” was a new comment, and not expecting it deeper down in the past.
Would you happen to have a source link for those claims? I’d like to forward them to a few organisations I work with, warning them that devices currently lost/stolen/left unsupervised despite having TPM+PIN configured will have to be considered compromised even if a future patch comes out.
it’s the second link, https://deadeclipse666.blogspot.com/ - The entry is from May 13, titled “We’re doing silent patches now huh, also a quick note about YellowKey”, the second part is from May 14, titled “Important updates regarding YellowKey and GreenPlasma”. They are the one who found the vulnerabilities, PoC for RedSun, BlueHammer, YellowKey, GreenPlasma and MiniPlasma are on GitHub @ https://github.com/Nightmare-Eclipse
Thank you - it appears I stopped reading just one comment short of that, assuming that the “TPM+PIN is insecure” was a new comment, and not expecting it deeper down in the past.