Entrust nShield Products Privilege Escalation Vulnerability via JTAG Access

A vulnerability in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows a physically proximate attacker to gain debug access and escalate privileges. This is achieved by bypassing the tamper label, opening the chassis without leaving evidence, and accessing the JTAG connector. Exploitation of this vulnerability enables unauthorized modifications to the device's firmware and tamper log, creating a persistent and undetectable compromise.

Impact

Exploitation of this vulnerability allows for unauthorized access to the JTAG connector, where the firmware of the ARM SoC can be read and modified. This includes the ability to alter or erase the tamper log stored on an attached EEPROM, effectively covering up any tampering activities. Such actions could lead to unauthorized access to other internal components, like the unencrypted SSD, which holds critical data and system files.

Reproduction

The vulnerability can be reproduced by physically accessing the nShield device, removing the tamper label without leaving traces, and opening the chassis. Once inside, the JTAG connector on the Cosmo board can be accessed. With the right tools, the JTAG header can be used to connect to the ARM SoC, bypassing all protections and allowing firmware modifications. This process can be automated with a custom 3D-printed tool for efficiency.

Remediation

Users can upgrade to Entrust nShield versions 13.6.12 or 13.9.0 to address this vulnerability.