Microsoft Warns of New Security Flaw Affecting Surface Pro 3 Devices

Microsoft has published a new advisory warning of a security
bypass vulnerability affecting Surface Pro 3 convertible laptops
that could be exploited by an adversary to introduce malicious
devices within enterprise networks and defeat the device
attestation mechanism.

Tracked as CVE-2021-42299^[1]
(CVSS score: 5.6), the issue has been codenamed “TPM Carte Blanche^[2]” by Google software
engineer Chris Fenner, who is credited with discovering and
reporting the attack technique. As of writing, other Surface
devices, including the Surface Pro 4 and Surface Book, have been
deemed unaffected, although other non-Microsoft machines using a
similar BIOS may be vulnerable.

“Devices use Platform Configuration Registers (PCRs^[3]) to record information
about device and software configuration to ensure that the boot
process is secure,” the Windows maker noted in a bulletin. “Windows
uses these PCR measurements to determine device health. A
vulnerable device can masquerade as a healthy device by extending
arbitrary values into Platform Configuration Register (PCR)
banks.”

However, it’s worth noting that pulling off an attack
necessitates physical access to a target victim’s device, or that a
bad actor has had previously compromised a legitimate user’s
credentials. Microsoft said it has “attempted” to notify all
affected vendors.

Introduced in Windows 10, Device Health Attestation (DHA^[4]) is an enterprise
security feature^[5]
that ensures client computers have trustworthy BIOS, Trusted Module
Platform (TPM), and boot software configurations enabled such as
early-launch antimalware (ELAM), Secure Boot, and much more. Put
differently, DHA is designed to attest to the boot state of a
Windows computer.

The DHA service achieves this by reviewing and validating the
TPM and PCR boot logs for a device to issue what’s a
tamper-resistant DHA report that describes how the device started.
But by weaponizing this flaw, attackers can corrupt the TPM and PCR
logs to acquire false attestations, effectively compromising the
Device Health Attestation validation process.

“On a Surface Pro 3 running recent platform firmware with SHA1
and SHA256 PCRs enabled, if the device is booted into Ubuntu 20.04
LTS, there are no measurements at all in the SHA256 bank low PCRs,”
Fenner said. “This is problematic because this allows arbitrary,
false measurements to be made (from Linux userland, for example)
corresponding to any Windows boot log desired. An honest SHA256 PCR
quote over dishonest measurements can be requested using a
legitimate [Attestation Key] in the attached TPM.”

In a real-world scenario, CVE-2021-42299 can be abused to fetch
a false Microsoft DHA certificate by obtaining the TCG Log — which
records measurements made during a boot sequence — from a target
device whose health the attacker wants to impersonate, followed by
send a valid health attestation request to the DHA service.

Additional technical details^[6]
about the attack and a proof-of-concept^[7]
(PoC) exploit can be accessed from Google’s Security Research
repository here^[8].