Entrust nShield Products Recovery Partition Modification Vulnerability

A vulnerability exists in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allowing a physically proximate attacker with root access to modify the Recovery Partition. This issue arises from inadequate integrity protection, enabling unauthorized alterations that could persist across factory resets.

Impact

Exploitation of this vulnerability allows for unauthorized modifications to the recovery partition, which can be used to maintain persistence on the device even after a factory reset.

Reproduction

To reproduce this vulnerability, gain root access to the affected nShield appliance. This can be achieved by enabling the front USB port during boot, connecting a keyboard, and accessing the GRUB bootloader. Once in the GRUB shell, add 'init=/bin/sh' to the kernel parameters and boot the device. After gaining access to the root shell, mount the recovery partition and make the desired modifications.

Remediation

Users can update to Entrust nShield versions 13.6.12 or 13.9.0, where this vulnerability has been addressed.