Entrust nShield Products Chassis Management Board Tamper Event Modification Vulnerability

A vulnerability exists in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11 or 13.7, allowing a physically proximate attacker to alter or delete tamper events via the Chassis management board. This issue arises from unprotected access to the tamper log, which is stored on an unencrypted I2C EEPROM and can be modified without leaving traces or triggering tamper alerts.

Impact

Exploitation of this vulnerability allows for unauthorized modification or deletion of tamper events, creating a false tamper log that can be used to deceive users or administrators about the device's tamper status.

Reproduction

The vulnerability can be reproduced by physically accessing the affected HSM model, opening the chassis, and connecting to the JTAG header on the Cosmo board. This connection can be used to read and write firmware, including the tamper log stored on an attached EEPROM. Once the tamper log is accessed, it can be modified or cleared, erasing any evidence of tampering.

Remediation

Users can upgrade to Entrust nShield versions 13.6.12 or 13.9.0 to address this vulnerability.