Tech

Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear

Most Cisco gear is believed to be impacted. No attacks detected, as of yet.

Written by Catalin Cimpanu, Contributor May 13, 2019 at 2:18 p.m. PT

Security

A vulnerability disclosed today allows hackers to plant persistent backdoors on Cisco gear, even over the Internet, with no physical access to vulnerable devices.

Named Thrangrycat, the vulnerability impacts the Trust Anchor module (TAm), a proprietary hardware security chip part of Cisco gear since 2013.

This module is the Intel SGX equivalent for Cisco devices. The TAm runs from an external, hardware-isolated component that cryptographically verifies that the bootloader that loads and executes on Cisco gear is authentic.

Thrangrycat vulnerability

But last year, security researchers from Red Balloon Security have found a way to attack the TAm via one of the data streams running in and out of the component -- by manipulating the Field Programmable Gate Array (FPGA) bitstream.

Modifying this bitstream requires root access to the device, meaning that hackers can use the Thrangrycat vulnerability to modify the TAm unless they already compromised Cisco devices to the core.

Under normal circumstances, most devices would be safe. However, if an attacker chains a security flaw that lets them get access to Cisco gear as root, then this vulnerability comes into play and becomes a big problem for device owners.

The Cisco IOS RCE

Unfortunately for all Cisco device owners, the same Red Balloon Security team also discovered a remote code execution flaw in the web interface of the Cisco IOS XE software that runs on Cisco devices, which can be used to gain root access on Cisco routers and switches.

This means that by combining Thrangrycat (CVE-2019-1649) with this remote code execution flaw (CVE-2019-1862), an attacker located anywhere on the internet can take over devices, gain root access, and then disable the TAm boot process verification, and even prevent future TAm security updates from reaching devices.

This, in turn, allows attackers to modify Cisco firmware and plant persistent backdoors on targeted devices.

Most Cisco gear likely impacted

Researchers said they only tested this vulnerability with Cisco ASR 1001-X routers, but any Cisco device running an FPGA-based TAm is vulnerable.

Cisco released security updates for both vulnerabilities earlier today. The Cisco Thrangrycat security advisory lists devices Cisco believes are impacted, along with available firmware patches.

The Cisco security advisory for the RCE bug in the Cisco IOS XE web UI also includes a form that lets device owners see if the version they're running is vulnerable.

Cisco said it did not detect any attacks exploiting these two flaws. Nonetheless, taking into account that proof of concept code to demonstrate both flaws is available in the public domain, attacks are eventually expected to take place.

On a website dedicated to the Thrangrycat vulnerability, the Red Balloon Security team said plan to present a tool for detecting Thrangrycat attacks in August this year, at the Black Hat 2019 security conference.