Microsoft has patched a security feature bypass vulnerability impacting Surface Pro 3 tablets, enabling threat actors to introduce malicious devices within enterprise environments.
The security flaw, dubbed TPM Carte Blanche by Google security researchers who discovered it, is tracked as CVE-2021-42299 and can be exploited in high complexity attacks by attackers with access to the owner’s credentials or physical access to the device.
Device Health Attestation is a cloud and on-premises service that validates TPM and PCR logs for endpoints and informs Mobile Device Management (MDM) solutions if Secure Boot, BitLocker, and Early Launch Antimalware (ELAM) are enabled, Trusted Boot is correctly signed, and more.
By exploiting CVE-2021-42299, attackers can poison the TPM and PCR logs to obtain false attestations, allowing them to compromise the Device Health Attestation validation process.
“Devices use Platform Configuration Registers (PCRs) to record information about device and software configuration to ensure that the boot process is secure. Windows uses these PCR measurements to determine device health,” Microsoft explains.