Flaw Affecting Millions of Cisco Devices Let Attackers Implant Persistent Backdoor

Researchers have discovered a severe vulnerability in Cisco products that could allow attackers to implant persistent backdoor on wide range devices used in enterprises and government networks, including routers, switches, and firewalls.

Dubbed Thrangrycat or 😾😾😾, the vulnerability, discovered by researchers from the security firm Red Balloon and identified as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm).

Trust Anchor module (TAm) is a hardware-based Secure Boot functionality implemented in almost all of Cisco enterprise devices since 2013 that ensures the firmware running on hardware platforms is authentic and unmodified.

However, researchers found a series of hardware design flaws that could allow an authenticated attacker to make the persistent modification to the Trust Anchor module via FPGA bitstream modification and load the malicious bootloader.

> “An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory. Elements of this bitstream can be modified to disable critical functionality in the TAm,” researchers said.

> “Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.”

Chaining With Remote Bugs: No Physical Access Required

Since the vulnerability exploitation requires root privileges, an advisory released by Cisco stressed that only a local attacker with physical access to the targeted system could write a modified firmware image to the component.

However, Red Balloon researchers explained that attackers could also exploit the Thrangrycat vulnerability remotely by chaining it together with other flaws that could allow them to gain root access or, at least, execute commands as root.

To demonstrated this attack, researchers revealed an RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS operating system that allows a logged-in administrator to remotely execute arbitrary commands on the underlying Linux shell of an affected device with root privileges.

After gaining root access, the rogue administrator can then remotely bypass Trust Anchor module (TAm) on a targeted device using the Thrangrycat vulnerability and install a malicious backdoor.

Here’s what makes this vulnerability more severe:

> “By chaining the 😾😾😾 and remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm,” researchers said.

> “Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.”

While researchers tested the vulnerabilities against Cisco ASR 1001-X routers, hundreds of millions of Cisco units running an FPGA-based TAm around the world—which includes everything from enterprise routers to network switches and firewalls—are vulnerable.

Red Balloon Security privately reported the issues to Cisco in November 2018 and only release some details to the public after Cisco issued firmware patches to address both flaws and listed all affected products.

Cisco said the company did not detect attacks exploiting any of these two vulnerabilities.

The full details of the vulnerabilities will be released at this year’s Black Hat USA security conference in August.

Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.