Entrust nShield Products Privilege Escalation Vulnerability Allowing Tamper Event Falsification

A vulnerability exists in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11 or 13.7, allowing a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components. This vulnerability can be exploited by modifying the Cosmo firmware on the HSM, which is not protected by secure boot, or by gaining root access through unverified firmware upgrades. Once the tamper log is altered, the changes can be made undetectable by the HSM or the end user.

Impact

Exploitation of this vulnerability allows for the persistent and undetectable modification of the tamper log, which is the only way for a user to receive tamper event notifications.

Reproduction

The vulnerability can be reproduced by physically accessing the HSM, enabling the front USB port during boot, and connecting a device that can manipulate the HSM's firmware or tamper log. This can be done by inserting a thin wire through the front USB port to access a pin that controls USB access, then booting the HSM and entering a command that initiates a root shell. Once root access is obtained, the Cosmo firmware can be modified or the tamper log can be edited directly.

Remediation

Entrust has released patches for this vulnerability in versions 13.6.12 and 13.9.0.