A Flaw Affecting Millions of Cisco Devices Enables Persistent Backdoor Implantation

Researchers have discovered a severe vulnerability in Cisco products that could allow attackers to install a persistent backdoor on a variety of enterprise and government network devices, including routers, switches, and firewalls.

The vulnerability, discovered by Red Balloon security researchers and identified as CVE-2019-1649, is known as Thrangrycat. It affects multiple Cisco products that support the Trust Anchor module (TAm).

Trust Anchor module (TAm) is a hardware-based Secure Boot functionality that has been implemented in nearly all Cisco enterprise devices since 2013. This functionality ensures that the firmware running on hardware platforms is authentic and unmodified.

Researchers discovered a series of hardware design flaws that could allow an authenticated attacker to load a malicious bootloader and make persistent modifications to the Trust Anchor module via FPGA bitstream modification.

“Unprotected flash memory allows an attacker with root privileges on the device to modify the contents of the FPGA anchor bitstream. Elements of this bitstream may be altered to disable crucial TAm functionality “Researchers reported.

“Successful modification of the bitstream is persistent, and subsequent boot sequences will disable the Trust Anchor. Additionally, it is possible to prevent software updates to the TAm’s bitstream.”

Chaining With Remote Bugs Requires No Physical Access

Since exploitation of the vulnerability requires root privileges, a Cisco advisory emphasized that only a local attacker with physical access to the affected system could write a modified firmware image to the component.

However, Red Balloon researchers explained that remote attackers could also exploit the Thrangrycat flaw by chaining it with other vulnerabilities that would allow them to gain root access or at the very least execute commands as root.

To demonstrate this attack, researchers disclosed an RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS operating system that permits a logged-in administrator to remotely execute arbitrary commands with root privileges on the underlying Linux shell of an affected device.

After gaining root access, a malicious administrator can remotely bypass the Trust Anchor module (TAm) and install a malicious backdoor using the Thrangrycat vulnerability.

What makes this vulnerability more severe is as follows:

“By chaining the remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and prevent all future software updates to the TAm,” according to researchers.

“Because the flaws reside in the hardware’s design, it is unlikely that a software security patch will resolve the fundamental security vulnerability in its entirety.”

Researchers tested the vulnerabilities on Cisco ASR 1001-X routers, but hundreds of millions of Cisco devices running an FPGA-based TAm are vulnerable. This includes enterprise routers, network switches, and firewalls.

Red Balloon Security reported the vulnerabilities to Cisco in November 2018 and only released some details to the public after Cisco released firmware updates to fix both vulnerabilities and listed all affected products.

Cisco stated that it has not observed any attacks exploiting either of these two vulnerabilities.

In August, the full details of the vulnerabilities will be disclosed at the Black Hat USA security conference.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
Active Firewall Vulnerability Triggers CISA Warning

August 23, 2022

CISA warns that Palo Alto Networks’ PAN-OS is currently under active attack and should be patched immediately. The software that operates Palo Alto Networks’ firewalls is under attack, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to warn public…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.


BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.