Microsoft - New Security Flaw Affecting Surface Pro 3 Devices
Reading Time: 2 minutes

Microsoft has published a new advisory warning about a new security flaw affecting Surface Pro 3 devices. The latest vulnerability can be exploited by bad actors to introduce malicious devices within enterprise networks and defeat the device attestation mechanism.

The vulnerability is tracked as CVE-2021-42299 (CVSS score: 5.6), codenamed “TPM Carte Blanche” discovered by Google software engineer Chris Fenner and reported the attack technique. The Surface devices immune to the vulnerability include Surface Pro 4 and Surface Book, though other non-Microsoft machines using a similar BIOS may be vulnerable.

Microsoft in its blog post said, “Devices use Platform Configuration Registers (PCRs) to record information about device and software configuration to ensure that the boot process is secure. Windows uses these PCR measurements to determine device health. A vulnerable device can masquerade as a healthy device by extending arbitrary values into Platform Configuration Register (PCR) banks.”

It is important to note, for the attackers to pull off they require to have physical access to the victim’s device or it needs to be previously compromised using legitimate user’s credentials. Microsoft has already attempted to notify all affected vendors.

Device Health Attestation (DHA) is an enterprise security feature introduced in Windows 10. It ensures client computers have trustworthy BIOS and Trusted Module Platform (TPM). It also features boot software configurations enabled such as early-launch antimalware (ELAM), Secure Boot, and much more.

DHA is designed to attest to the boot state of a Windows computer. It achieves this by reviewing and validating the TPM and PCR boot logs for a device. These logs issue a tamper-resistant DHA report that describes how the device started. Though once the flaw is weaponized, attackers can corrupt the TPM and PCR logs to acquire false attestations, effectively compromising the Device Health Attestation validation process.

Fenner said, “On a Surface Pro 3 running recent platform firmware with SHA1 and SHA256 PCRs enabled, if the device is booted into Ubuntu 20.04 LTS, there are no measurements at all in the SHA256 bank low PCRs. This is problematic because this allows arbitrary, false measurements to be made (from Linux userland, for example) corresponding to any Windows boot log desired. An honest SHA256 PCR quote over dishonest measurements can be requested using a legitimate [Attestation Key] in the attached TPM.”

CVE-2021-42299 can be abused to fetch a false Microsoft DHA certificate by obtaining the TCG Log in a real-world scenario. This records measurements made during a boot sequence from a target device whose health the attacker wants to replicate, followed by sending a valid health attestation request to the DHA service.

You can find additional technical details about the attack and a proof-of-concept (PoC) exploit from Google’s Security Research repository here.

Related Articles:

New Zero Day Vulnerability for Windows – Update your Windows PC immediately
Microsoft Under 2.4Tbps DDoS Attack – Second Largest on Record
GitHub Revoked Weak SSH Authentication Keys Generated by a Popular Git Client