CVE-2021-42299: Microsoft Surface Pro 3 Security Feature Bypass Vulnerability

Which Surface devices are affected by this vulnerability?

The Surface Pro 3.

Are any other devices vulnerable?

Microsoft has confirmed that the Surface Pro 3 is vulnerable. However, it is possible that other devices, including non-Microsoft devices, using a similar BIOS may also be vulnerable.

The Surface Pro 4, Surface Book, and more recent Surface devices are not vulnerable.

What can an attacker do with this vulnerability?

Devices use Platform Configuration Registers (PCRs) to record information about device and software configuration to ensure that the boot process is secure. Windows uses these PCR measurements to determine device health.

A vulnerable device can masquerade as a healthy device by extending arbitrary values into Platform Configuration Register (PCR) banks.

How do I protect myself?

This technique requires physical access to a target victim’s device, or an attacker would already have had to compromise a legitimate user’s credentials. We encourage customers to practice good security habits, including positive control over their device and preventing unauthorized physical access to their machine.

Access to corporate resources is gated by user credentials, please see the following resources for more information:

• https://www.microsoft.com/en-us/online-safety/resources
• https://support.microsoft.com/en-us/windows/keep-your-computer-secure-at-work-809c3560-b59b-a8ad-71e5-082f26691910

Microsoft has attempted to notify all affected vendors.