CVE-2019-1649 Thrangrycat Exploit Affects Millions of Cisco Devices
NEWS

CVE-2019-1649 Thrangrycat Exploit Affects Millions of Cisco Devices

CVE-2019-1649 is a severe vulnerability in Cisco products. Also dubbed Thrangrycat, the exploit could allow attackers to implant persistent backdoor on a wide range of devices in enterprise and government networks. Devices could be routers, switches, and firewalls that support Trust Anchor module.

Related:
Microsoft has introduced a new safety feature which is designed to improve the way updates are installed and removed on Windows 10.
recently installed updates which turned out buggy.

CVE-2019-1649 (Thrangrycat Exploit) Technical Details

According to Red Balloon Security, the researchers who discovered the flaw, there are two vulnerabilities in said devices which have been dubbed Thrangrycat exploit. The first flaw allows an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second flaw is a remote command injection vulnerability which can be used against Cisco IOS XE version 16 that allows remote code execution as root:

By chaining the exploit with remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm, the advisory said.

What Is Cisco’s Trust Anchor Module

It’s a proprietary hardware security module which is implemented in nearly all Cisco enterprise devices since 2013. The module ensures that the firmware running on hardware platforms is authentic and hasn’t been modified.

Unfortunately, the Red Balloon Security researchers came across several hardware design flaws in mentioned devices that could enable unauthenticated threat actors to make persistent modification to the Trust Anchor module using FPGA bitstream modification:

An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory. Elements of this bitstream can be modified to disable critical functionality in the TAm. Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.

Related:
CVE-2019-1867 is located in Cisco Elastic Services Controller (ESC) and could allow a remote attacker to bypass authentication on the REST API.
CVE-2019-1867: Highly Critical Bug in Cisco Elastic Services Controller.

While the flaws are based in hardware, they can be exploited remotely without any need for physical access. Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security flaw, the researchers said. The exploit doesn’t appear to have been exploited in the wild, noting that the potential danger is severe.

The researchers demonstrated the vulnerabilities on a Cisco ASR 1001-X router, but they believe that the exploit impacts a number of other systems that also feature TAm implementations. Since there are millions of Cisco units running FPGA-based TAm around the world, the range of affected devices is unthinkable.

The team privately reported their findings involving CVE-2019-1649 to Cisco in November last year. Details about their findings were partially made public after the company issued firmware patches addressing the serious flaws.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...