products that could allow attackers to implant persistent backdoor
on wide range devices used in enterprises and government networks,
including routers, switches, and firewalls.
Dubbed Thrangrycat[1] or ???, the
vulnerability, discovered by researchers from the security firm Red
Balloon and identified as CVE-2019-1649, affects multiple Cisco
products that support Trust Anchor module (TAm).
Trust Anchor module (TAm) is a hardware-based Secure Boot
functionality implemented in almost all of Cisco enterprise devices
since 2013 that ensures the firmware running on hardware platforms
is authentic and unmodified.
However, researchers found a series of hardware design flaws
that could allow an authenticated attacker to make the persistent
modification to the Trust Anchor module via FPGA bitstream
modification and load the malicious bootloader.
“An attacker with root privileges on the device can modify the
contents of the FPGA anchor bitstream, which is stored unprotected
in flash memory. Elements of this bitstream can be modified to
disable critical functionality in the TAm,” researchers said.
“Successful modification of the bitstream is persistent, and the
Trust Anchor will be disabled in subsequent boot sequences. It is
also possible to lock out any software updates to the TAm’s
bitstream.”
Chaining With Remote Bugs: No Physical Access Required
Since the vulnerability exploitation requires root privileges, an
advisory
released[2] by Cisco stressed that
only a local attacker with physical access to the targeted system
could write a modified firmware image to the component.
However, Red Balloon researchers explained that attackers could
also exploit the Thrangrycat vulnerability remotely by chaining it
together with other flaws that could allow them to gain root access
or, at least, execute commands as root.
To demonstrated this attack, researchers revealed an RCE
vulnerability (CVE-2019-1862[3]) in the web-based user
interface of Cisco’s IOS operating system that allows a logged-in
administrator to remotely execute arbitrary commands on the
underlying Linux shell of an affected device with root
privileges.
After gaining root access, the rogue administrator can then
remotely bypass Trust Anchor module (TAm) on a targeted device
using the Thrangrycat vulnerability and install a malicious
backdoor.
Here’s what makes this vulnerability more severe:
“By chaining the ??? and remote command injection vulnerabilities,
an attacker can remotely and persistently bypass Cisco’s secure
boot mechanism and lock out all future software updates to the
TAm,” researchers said.
“Since the flaws reside within the hardware design, it is unlikely
that any software security patch will fully resolve the fundamental
security vulnerability.”
1001-X routers, hundreds of millions of Cisco units running an
FPGA-based TAm around the world—which includes everything from
enterprise routers to network switches and firewalls—are
vulnerable.
Red Balloon Security privately reported the issues to Cisco in
November 2018 and only release some details to the public after
Cisco issued firmware patches to address both flaws and listed all
affected products.
Cisco said the company did not detect attacks exploiting any of
these two vulnerabilities.
The full details of the vulnerabilities will be released at this
year’s Black Hat USA security conference in August.
References
- ^
Thrangrycat
(thrangrycat.com) - ^
advisory released
(tools.cisco.com) - ^
CVE-2019-1862
(tools.cisco.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/y7ci3mdMpkE/cisco-secure-boot-bypass.html