[German]Here is another addendum to the topic "we are becoming more secure with hardware and software". Recently, Microsoft had to admit a TPM vulnerability (Card Blanche) for its Surface Pro 3 and sent a corresponding security notification around. In addition, a vulnerability in the TPM chip of the Surface Pro 3 has been known for a year, for which an update is available. I'll summarize some information there.
First hints of a TPM vulnerability
I have been informed about the TPM vulnerability in the Surface Pro 3 in two ways. Once, Microsoft distributed various security advisories via mail. Here is the revision from 2021/10/19:
– CVE-2021-42299 | Microsoft Surface Pro 3 Security Feature Bypass Vulnerability
– Version: 1.1
– Reason for Revision: Corrected the CVE release date to October 18, 2021.
– Originally posted: October 18, 2021
– Updated: October 19, 2021
– Aggregate CVE Severity Rating: Important
Then there was the comment by P. Feifenbläser in the discussion area of my German blog that addressed the issue. I'll pull it out because the posts in the discussion area are deleted cyclically.
Does this "TPM Carte Blanche" article between the lines, without going further into the security gap mentioned there, mean that with TPM the computer reports every boot to Microsoft or asks whether it is allowed to do so?
Or did I misunderstand the role of this "Health Attestation Services"?
The vulnerability CVE-2021-42299
The TPM module of the Surface Pro 3 can be bypassed via a BIOS vulnerability, according to Microsoft (CVE-2021-42299). Models like the Surface Pro 4, Surface Book, and newer Surface devices are not vulnerable to this vulnerability. However, it is possible that other devices, including non-Microsoft devices that use a similar BIOS, are vulnerable.
Devices such as Surfaces use Platform Configuration Registers (PCRs) to record device and software configuration information. This is to ensure that the boot process is safe. Windows uses these PCR measurements to determine the health of the device.
However, the vulnerability allows attackers to insert arbitrary values into the PCR (Platform Configuration Register) registers and thus identify a compromised device as safe.
The damage is limited, however, because the attack requires physical access to a victim's device. Since the devices are usually protected against third-party access by a login password, this hurdle must be overcome beforehand.
Details about the vulnerability
There is a Device Health Attestation function in Windows. This uses a Trusted Platform Module (TPM) to certify the (secure) boot state of a PC. This is done by using measurements that are normally taken in the TPM during the boot process and certifying these measurements with an attestation key.
Chris Fenner from Google discovered this vulnerability CVE-2021-42299 and describes the details in the GitHub post CVE-2021-42299: TPM Carte Blanche. On the Surface Pro 3, the vulnerability exists with SHA1 and SHA256 PCRs enabled on the TPM in BIOS version 3.11.2550 and earlier. The problem: Only the SHA1 PCRs are extended by the firmware. This means that an attacker could boot a non-secure or compromised operating system by providing the PCRs with false readings to get false confirmations about the loaded operating system.
Fenner describes the details in his GitHub post, but you can keep it short: This vulnerability can be used to trick an oh-so-secure PC with TPM, which supposedly can only boot approved operating systems – and an attacker can boot any operating system.
TPM vulnerability CVE-2017-15361
A year ago, the vulnerability CVE-2017-15361 was discovered in the TPM chip of the manufacturer Infineon. In the meantime, there is probably an update for the TPM of the Surface Pro 3, as I read in this German article by Martin Geuß a few days ago. Ralf Eiberger has described the approach to install the update in this German article.
It is always refreshing to read how secure the whole thing has become in the meantime and what a glorious future Microsoft wants to lead us into with Windows 11 and the increased hardware requirements like TPM 2.0 etc.
Cookies helps to fund this blog: Cookie settings