Entrust nShield Products Privilege Escalation Vulnerability via Unauthorized USB Reactivation

A vulnerability in Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11 or 13.7, allows a physically proximate attacker to escalate privileges. This is achieved by reactivating the USB interface during system boot, without triggering any tamper events or leaving visible traces. The reactivated USB port can be used to connect a keyboard, enabling access to the GRUB bootloader and root privileges on the appliance.

Impact

Exploitation of this vulnerability allows for unauthorized access to the appliance's root account, enabling persistent and undetectable modifications to the device. This includes the ability to alter the tamper log, which is the only way for users to receive tamper notifications.

Reproduction

The vulnerability can be reproduced by physically accessing the device and inserting a probe into the chassis to connect with a pin that activates the USB port. Once the USB port is enabled, a keyboard can be plugged in and used to access the GRUB shell during the boot process. From there, the HSM can be rebooted and the GRUB parameters can be modified to gain root access.

Remediation

Users can update to Entrust nShield versions 13.6.12 or 13.9.0 to address this vulnerability.