Researchers have discovered a severe vulnerability in Cisco products that could allow attackers to install a persistent backdoor on a variety of enterprise and government network devices, including routers, switches, and firewalls.
The vulnerability, discovered by Red Balloon security researchers and identified as CVE-2019-1649, is known as Thrangrycat. It affects multiple Cisco products that support the Trust Anchor module (TAm).
Trust Anchor module (TAm) is a hardware-based Secure Boot functionality that has been implemented in nearly all Cisco enterprise devices since 2013. This functionality ensures that the firmware running on hardware platforms is authentic and unmodified.
Researchers discovered a series of hardware design flaws that could allow an authenticated attacker to load a malicious bootloader and make persistent modifications to the Trust Anchor module via FPGA bitstream modification.
“Unprotected flash memory allows an attacker with root privileges on the device to modify the contents of the FPGA anchor bitstream. Elements of this bitstream may be altered to disable crucial TAm functionality “Researchers reported.
“Successful modification of the bitstream is persistent, and subsequent boot sequences will disable the Trust Anchor. Additionally, it is possible to prevent software updates to the TAm’s bitstream.”
Chaining With Remote Bugs Requires No Physical Access
Since exploitation of the vulnerability requires root privileges, a Cisco advisory emphasized that only a local attacker with physical access to the affected system could write a modified firmware image to the component.
However, Red Balloon researchers explained that remote attackers could also exploit the Thrangrycat flaw by chaining it with other vulnerabilities that would allow them to gain root access or at the very least execute commands as root.
To demonstrate this attack, researchers disclosed an RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS operating system that permits a logged-in administrator to remotely execute arbitrary commands with root privileges on the underlying Linux shell of an affected device.
After gaining root access, a malicious administrator can remotely bypass the Trust Anchor module (TAm) and install a malicious backdoor using the Thrangrycat vulnerability.
What makes this vulnerability more severe is as follows:
“By chaining the remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and prevent all future software updates to the TAm,” according to researchers.
“Because the flaws reside in the hardware’s design, it is unlikely that a software security patch will resolve the fundamental security vulnerability in its entirety.”
Researchers tested the vulnerabilities on Cisco ASR 1001-X routers, but hundreds of millions of Cisco devices running an FPGA-based TAm are vulnerable. This includes enterprise routers, network switches, and firewalls.
Red Balloon Security reported the vulnerabilities to Cisco in November 2018 and only released some details to the public after Cisco released firmware updates to fix both vulnerabilities and listed all affected products.
Cisco stated that it has not observed any attacks exploiting either of these two vulnerabilities.
In August, the full details of the vulnerabilities will be disclosed at the Black Hat USA security conference.
