Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2021.0225
Microsoft Surface Pro 3 Security Feature Bypass Vulnerability
20 October 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Surface Pro 3
Operating System: Windows
Impact/Access: Reduced Security -- Existing Account
Resolution: None
CVE Names: CVE-2021-42299
OVERVIEW
Microsoft has released an out-of-band advisory detailing a security
bypass vulnerability that affects the Microsoft Surface Pro 3. [1]
Microsoft advises that there is proof of concept code available
targeting this vulnerability. [1]
IMPACT
Microsoft has assigned CVE-2021-42299 to this vulnerability. [1][2]
Microsft advises that the Surface Pro 4, Surface Book, and more recent Surface devices are not vulnerable. [2]
Microsoft has attempted to notify all affected vendors. [2]
MITIGATION
There is no fix available for this vulnerability. Microsoft states
"We encourage customers to practice good security habits, including
positive control over their device and preventing unauthorized
physical access to their machine." [1]
REFERENCES
[1] Microsoft Surface Pro 3 Security Feature Bypass Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42299
[2] Microsoft Security Update Guidance
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYW+lFONLKJtyKPYoAQgzxw//XasU9FoK6KUHB0j9qS8BYRoK1Nn7iTpw
/dp7nPwgVTl3lMoyUU93K+BcPXQBf7H3zKhpquT9ZzngzQJrXSK6ieKRmwNgrO11
KB++9wzBF4u6dT14AwiS/zl1vYX8ogTtMQ+xVlGgJkcf+C5JlRDxNhZ1izuQPrKJ
mFTiAzRkO5X36Zb481Ygo1zbq03zGdYSHOW5wyquyTLXfQISijZG5laS8vVWOLiA
Lyceu8odvw5B0i3TK5VmbiW+SoNWPX2UQ2B8CLPRG4H8Ut1mKkhzkX/vrNjOWVSP
U4SjFkAkUUkVJQD/QKEf46b2xwFJTeUPpatiQM8iIiae5s6K5GGnIIeFAyeAU+ZY
MwE+HMAQrjeAKsVBE9bMOzjDuDPnB0+aXQyuF0rDr4s88gFuCyhOjPxoSl81aALC
bUkgVXEiVK2ocNrjeI5y/ydHoq3VA/Tso0JIOHSNsijJmbSUVnpCWlsjVfB5E0Mz
TLl5HqIlKc2QdcHlcPxy8j/pgfaWR/XenUAbUvwXwUkB6GwRmQWB6nJJNolIOHbn
ghYUxLKLsN5ytCEfGdLO3xR4uTKM2LykaXnKiKd4QJL7PKQrb5qMgrXy/MkskGfO
hVTIpJlGyopJ4KrPWcojaJtv/VWCLiTo+yAiziJ4+nzNPS3eox6etpQ5YiyNwQV6
WsPetlZxh3w=
=KB2Q
-----END PGP SIGNATURE-----