CVE-2021-42299 is a new vulnerability in Microsoft Surface Pro 3 laptops. The flaw could enable attackers to introduce malicious devices within enterprise networks, compromising the device attestation mechanism. As explained by Microsoft, this mechanism helps confirm a device’s identity. It is configured on an enrollment entry and tells the provisioning service which method to use when verifying the identity of a device during registration.
CVE-2021-42299: TPM Carte Blanche
The vulnerability has been called TPM Carte Blanche by Google software engineer Chris Fenner, who discovered and reported the flaw. Currently, there is no indication that other Surface devices, such as Surface Pro 4 and Surface Book, are affected by the vulnerability. However, researchers warn that other non-Microsoft devices running a similar BIOS could also be exposed to this attack.
In terms of how the vulnerability can be exploited: “Devices use Platform Configuration Registers (PCRs) to record information about device and software configuration to ensure that the boot process is secure. Windows uses these PCR measurements to determine device health. A vulnerable device can masquerade as a healthy device by extending arbitrary values into Platform Configuration Register (PCR) banks,” as per the official Microsoft’s advisory.
Device exploitation requires physical access, or previous compromise of a legitimate user credentials on the targeted machine. This makes the vulnerability harder to exploit, but it is still severe in its nature.
“On affected Surface Pro 3 BIOS versions, when both SHA1 and SHA256 PCR banks are enabled, the SHA256 bank is not extended. This allows an adversary to falsify TPM-based health attestation by extending fake measurements into the TPM and getting a valid quote over the fake measurements,” according to the technical write-up available on GitHub. A proof-of-concept is also available.
In an actual attack, the vulnerability can be exploited to fetch a false Microsoft (Device Health Attestation) certificate by getting hold of the TCG Log, responsible for recording measurements made during a boot sequence. Once this is obtained, the attacker can send a valid health attestation request to the DHA service.