Microsoft has published a new advisory warning of a security bypass vulnerability affecting Surface Pro 3 convertible laptops that could be exploited by an adversary to introduce malicious devices within enterprise networks and defeat the device attestation mechanism.
Tracked as CVE-2021-42299 (CVSS score: 5.6), the issue has been codenamed “TPM Carte Blanche” by Google software engineer Chris Fenner, who is credited with discovering and reporting the attack technique. As of writing, other Surface devices, including the Surface Pro 4 and Surface Book, have been deemed unaffected, although other non-Microsoft machines using a similar BIOS may be vulnerable.
“Devices use Platform Configuration Registers (PCRs) to record information about device and software configuration to ensure that the boot process is secure,” the Windows maker noted in a bulletin. “Windows uses these PCR measurements to determine device health. A vulnerable device can masquerade as a healthy device by extending arbitrary values into Platform Configuration Register (PCR) banks.”