Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Thrangrycat flaw could allow compromising millions of Cisco devices

Security firm Red Balloon discovered a severe vulnerability dubbed Thrangrycat, in Cisco products that could be exploited to an implant persistent backdoor in many devices. Experts at Red Balloon Security disclosed two vulnerabilities in Cisco products. The first issue dubbed Thrangrycat, and tracked as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm). The issue […]

Cisco Catalyst

Security firm Red Balloon discovered a severe vulnerability dubbed Thrangrycat, in Cisco products that could be exploited to an implant persistent backdoor in many devices.

Experts at Red Balloon Security disclosed two vulnerabilities in Cisco products. The first issue dubbed Thrangrycat, and tracked as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm).
The issue could be exploited by an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second vulnerability, tracked as
CVE-2019-1862, is a remote command injection issue that affects Cisco IOS XE version 16 and that could allow remote attackers to execute code as root.

By chaining the flaws an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.

A vulnerability in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component.” reads the advisory published by Cisco. “This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality. “

The Trust Anchor module (TAm) is a hardware-based component the allows to check that Cisco hardware is authentic and also implements additional security services.

Cisco Secure Boot helps ensure that the code running on Cisco hardware platforms is authentic and unmodified, it is available in Cisco devices since 2013.

The researchers discovered that an attacker with root privileges can make a persistent modification to the Trust Anchor module via FPGA bitstream modification and load a malicious bootloader.

“An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory.” reads the analysis published by the experts.

“Elements of this bitstream can be modified to disable critical functionality in the TAm. Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.”

Thrangrycat flaw Cisco devices

Cisco classified the flaw as high severity, it received a CVSS Score Base 6.7 because the exploitation of the flaw requires root privileges. Anyway, Red Balloon pointed out that attackers could also exploit the Thrangrycat vulnerability remotely by chaining it together with other vulnerabilities that could allow them to gain root access or, at least, execute commands as root.

“An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA.” continues the advisory published by Cisco. “A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image. “

Summarizing, the attackers first exploit the RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS that allows a logged-in administrator to remotely execute arbitrary commands on the underlying Linux shell with root privileges.

Then, once gained root access, the attacker can remotely bypass Trust Anchor module (TAm) on a targeted device triggering the Thrangrycat vulnerability and install a malicious backdoor.

The flaws are very concerning because they reside in the hardware and cannot be addressed with a software patch.

“Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.” concludes the advisory published by Red Balloon.

The experts successfully tested the flaw against Cisco ASR 1001-X routers, but hundreds of millions of Cisco units featuring an FPGA-based TAm implementation are vulnerable.

Red Balloon experts reported the flaws to Cisco in November 2018 and publicly disclosed some details to the public after Cisco released firmware patches to address the vulnerabilities.

The good news is that Cisco in not aware of attacks in the wild exploiting the two vulnerabilities.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Thrangrycat, Cisco)

[adrotate banner=”5″]

[adrotate banner=”13″]