Entrust nShield Products Privilege Escalation Vulnerability via GRUB Bootloader Manipulation

A privilege escalation vulnerability has been identified in Entrust nShield Connect XC, nShield 5c, and nShield HSMi, all through version 13.6.11 or 13.7. This vulnerability allows a physically proximate attacker to escalate privileges by modifying the Legacy GRUB bootloader configuration to initiate a root shell upon booting the host operating system. The exploitation can be achieved by accessing the front USB port or the internal USB port during the boot process.

Impact

Exploitation of this vulnerability grants root access to the affected appliance, allowing for full control over the system and the ability to persistently backdoor the device without detection.

Reproduction

The vulnerability can be reproduced by physically accessing the device and enabling the front USB port during the boot process. This can be done by inserting a thin wire or a specially designed tool through the front USB port to connect to a pin that activates the USB port. Once the USB port is enabled, a keyboard can be plugged in, and the device can be booted. By pressing 'c' or 'e' during the boot process, access to the GRUB shell can be gained. From there, adding 'init=/bin/sh' to the kernel parameters will start a root shell on boot, providing unauthorized access to the system.

Remediation

Users can upgrade to Entrust nShield versions 13.6.12 or 13.9.0 to address this vulnerability.