Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear

A vulnerability disclosed today allows hackers to plant persistent backdoors on Cisco gear, even over the Internet, with no physical access to vulnerable devices.

Named Thrangrycat, the vulnerability impacts the Trust Anchor module (TAm), a proprietary hardware security chip part of Cisco gear since 2013.

This module is the Intel SGX equivalent for Cisco devices. The TAm runs from an external, hardware-isolated component that cryptographically verifies that the bootloader that loads and executes on Cisco gear is authentic.

Thrangrycat vulnerability

But last year, security researchers from Red Balloon Security have found a way to attack the TAm via one of the data streams running in and out of the component — by manipulating the Field Programmable Gate Array (FPGA) bitstream.

Modifying this bitstream requires root access to the device, meaning that hackers can use the Thrangrycat vulnerability to modify the TAm unless they already compromised Cisco devices to the core.

Under normal circumstances, most devices would be safe. However, if an attacker chains a security flaw that lets them get access to Cisco gear as root, then this vulnerability comes into play and becomes a big problem for device owners.

The Cisco IOS RCE

Unfortunately for all Cisco device owners, the same Red Balloon Security team also discovered a remote code execution flaw in the web interface of the Cisco IOS XE software that runs on Cisco devices, which can be used to gain root access on Cisco routers and switches.

This means that by combining Thrangrycat (CVE-2019-1649) with this remote code execution flaw (CVE-2019-1862), an attacker located anywhere on the internet can take over devices, gain root access, and then disable the TAm boot process verification, and even prevent future TAm security updates from reaching devices.

This, in turn, allows attackers to modify Cisco firmware and…

Source Link