Entrust nShield Products BIOS Access Vulnerability

A vulnerability in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allows an attacker to access the BIOS menu, as it is not password protected. This vulnerability can be exploited by enabling USB access during boot, which can be done physically on the nShield HSM.

Impact

Exploitation of this vulnerability allows unauthorized access to the BIOS setup, where security-relevant settings can be modified. This includes options that grant highly privileged access to the system.

Reproduction

The vulnerability can be reproduced by physically accessing the HSM and enabling the front USB port during boot. This can be done by inserting a thin wire or needle through the front USB port to connect to a pin that activates the USB port. Once the USB port is enabled, the HSM can be booted up. By pressing 'c' repeatedly after the HSM beeps, access to the GRUB bootloader can be gained. From there, kernel parameters can be modified to initiate a root shell on boot, or to edit the recovery partition, among other actions.

Remediation

Users can update to Entrust nShield versions 13.6.12 or 13.9.0, where this vulnerability has been fixed.