Meet Thrangrycat, a Cisco router secure boot flaw • The Register

Security weaknesses at the heart of some of Cisco’s network routers, switches, and firewalls can be exploited by hackers to hide spyware deep inside compromised equipment.

In order to exploit these flaws, dubbed 😾😾😾 or Thrangrycat by their discoverers, a miscreant or rogue employee needs to be able to log into the vulnerable device as an administrator, and can thus already do a lot of damage or snooping on your enterprise anyway.

What makes 😾😾😾 interesting is that it can be used by an attacker to take that initial privileged access and go deeper, making fundamental changes to the way the equipment boots up so that spyware, once installed, is always secretly present and running, and can’t be patched out or removed. Normally, not even admin users are allowed to do that. The vulnerability allows malicious code to persist on compromised systems.

Technical overview

Thrangrycat comes in two parts. First, there’s a flaw (CVE-2019-1862) in the web-based user interface of the Cisco IOS XE Software that can be exploited by a logged-in administrator to execute commands as root on the underlying Linux-based shell.

A rogue admin can leverage that input-sanitization vulnerability to exploit the second part: it is possible to use the aforementioned root-level access to change the firmware (CVE-2019-1649) used to configure an on-board FPGA chip that’s used to securely boot the equipment.

FPGAs are chips with thousands of logic gates and other circuitry that can be rewired as required on-the-fly to perform custom operations in hardware. How the gates and circuits are connected and interact is defined by a bitstream stored in the motherboard firmware.

Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again



Source Link