IT-security experts discovered dangerous bug in Cisco protected load mechanism that affected a wide range of products that used in governmental and corporate networks, including routers, commutators and firewalls.Vulnerability named Thrangrycat (CVE-2019-1649) linked to the range of disadvantages in the design of TAm module (Trust Anchor module) that is function of protected trusted download Secure Boot. This function allows checking program unity of the device and realized in more than 300 company’s products.
Red Balloon Specialists found way to attack TAm and make changes in module via I/O data streams by manipulating a bit stream of a programmable logic array FPGA (Field Programmable Gate Array).
“TAm is the root of trust that underpins all other Cisco security and trustworthy computing mechanisms in these devices. Thrangrycat allows an attacker to make persistent modification to the Trust Anchor module via FPGA bitstream modification, thereby defeating the secure boot process and invalidating Cisco’s chain of trust at its root”, — report Red Balloon Security specialists.
Thrangrycat can be exploited remotely without necessity of physical access to devices
“The vulnerability occurs because the affected software improperly sanitizes user-supplied input. An attacker who has valid administrator access to an affected device could exploit this vulnerability by supplying a crafted input parameter on a form in the Web UI and then submitting that form. A successful exploit could allow the attacker to run arbitrary commands on the device with root privileges, which may lead to complete system compromise”, — confess Cisco specialists.
It is noted that for bites stream modification attacker will have to get access with rights of superusers on the device, so vulnerability can be used only is equipment is already compromised, for example, with the use of bug that allows interception of control over the device.
Aside Thrangrycat, researchers discovered such vulnerability. The case is about RCE-bug (CVE-2019-1862) in web-interface of IOS XE that realized in Cisco products and that can be used for access to routers and commutators with the rights of superuser.
Combining listed above vulnerabilities, attackers will have opportunity of intercepting control over devices, get root access, disable TAm check, and block module’s safety updates. In its turn, this will allows them implement backdoors on targeted devices.
Specialists tested attack on Cisco routers ASR 1001-X only, but, they say that any device with FPGA-module TAm is vulnerable. Full lists of vulnerable equipment presented in Cisco notification.
Nevertheless, there is no established cases of vulnerability exploitation yet.