Entrust nShield Products Unprotected Boot Chain Vulnerability Allowing Persistent Firmware Modification

A vulnerability exists in the Chassis Management Board of Entrust nShield Connect XC, nShield 5c, and nShield HSMi, affecting versions through 13.6.11 or 13.7. This vulnerability allows a physically proximate attacker to persistently modify firmware and disrupt the appliance's boot process, which is insecurely configured. Exploitation requires physical access to the device to modify the firmware via JTAG or to perform an upgrade to the chassis management board firmware.

Impact

Exploitation of this vulnerability leads to unauthorized, persistent modifications of the firmware, allowing full control over the appliance's boot process and tamper events. It also enables manipulation of the front LCD display and the USB port functionality.

Reproduction

The vulnerability can be reproduced by physically accessing the nShield HSM appliance, opening it to reach the JTAG connector on the Cosmo board. Once access is gained, the firmware of the ARM SoC can be read and modified via JTAG. Alternatively, if root access is obtained on the appliance, the firmware can be modified through an unverified upgrade process.

Remediation

Users can upgrade to Entrust nShield versions 13.6.12 or 13.9.0 to address this vulnerability.