Microsoft has published a new advisory warning of a security bypass vulnerability affecting Surface Pro 3 convertible laptops that could be exploited by an adversary to introduce malicious devices within enterprise networks and defeat the device attestation mechanism.
Tracked as CVE-2021-42299 (CVSS score: 5.6), the issue has been codenamed “TPM Carte Blanche” by Google software engineer Chris Fenner, who is credited with discovering and reporting the attack technique. As of writing, other Surface devices, including the Surface Pro 4 and Surface Book, have been deemed unaffected, although other non-Microsoft machines using a similar BIOS may be vulnerable.
“Devices use Platform Configuration Registers (PCRs) to record information about device and software configuration to ensure that the boot process is secure,” the Windows maker noted in a bulletin. “Windows uses these PCR measurements to determine device health. A vulnerable device can masquerade as a healthy device by extending arbitrary values into Platform Configuration Register (PCR) banks.”
However, it’s worth noting that pulling off an attack necessitates physical access to a target victim’s device, or that a bad actor has had previously compromised a legitimate user’s credentials. Microsoft said it has “attempted” to notify all affected vendors.
Introduced in Windows 10, Device Health Attestation (DHA) is an enterprise security feature that ensures client computers have trustworthy BIOS, Trusted Module Platform (TPM), and boot software configurations enabled such as early-launch antimalware (ELAM), Secure Boot, and much more. Put differently, DHA is designed to attest to the boot state of a Windows computer.
The DHA service achieves this by reviewing and validating the TPM and PCR boot logs for a device to issue what’s a tamper-resistant DHA report that describes how the device started. But by weaponizing this flaw, attackers can corrupt the TPM and PCR logs to acquire false attestations, effectively compromising the Device Health Attestation validation process.
“On a Surface Pro 3 running recent platform firmware with SHA1 and SHA256 PCRs enabled, if the device is booted into Ubuntu 20.04 LTS, there are no measurements at all in the SHA256 bank low PCRs,” Fenner said. “This is problematic because this allows arbitrary, false measurements to be made (from Linux userland, for example) corresponding to any Windows boot log desired. An honest SHA256 PCR quote over dishonest measurements can be requested using a legitimate [Attestation Key] in the attached TPM.”
In a real-world scenario, CVE-2021-42299 can be abused to fetch a false Microsoft DHA certificate by obtaining the TCG Log — which records measurements made during a boot sequence — from a target device whose health the attacker wants to impersonate, followed by send a valid health attestation request to the DHA service.
Additional technical details about the attack and a proof-of-concept (PoC) exploit can be accessed from Google’s Security Research repository here.