CVE-2019-1649 is a severe vulnerability in Cisco products. Also dubbed Thrangrycat, the exploit could allow attackers to implant persistent backdoor on a wide range of devices in enterprise and government networks. Devices could be routers, switches, and firewalls that support Trust Anchor module.
CVE-2019-1649 (Thrangrycat Exploit) Technical Details
According to Red Balloon Security, the researchers who discovered the flaw, there are two vulnerabilities in said devices which have been dubbed Thrangrycat exploit. The first flaw allows an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second flaw is a remote command injection vulnerability which can be used against Cisco IOS XE version 16 that allows remote code execution as root:
By chaining the exploit with remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm, the advisory said.
What Is Cisco’s Trust Anchor Module
It’s a proprietary hardware security module which is implemented in nearly all Cisco enterprise devices since 2013. The module ensures that the firmware running on hardware platforms is authentic and hasn’t been modified.
Unfortunately, the Red Balloon Security researchers came across several hardware design flaws in mentioned devices that could enable unauthenticated threat actors to make persistent modification to the Trust Anchor module using FPGA bitstream modification:
An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory. Elements of this bitstream can be modified to disable critical functionality in the TAm. Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.
While the flaws are based in hardware, they can be exploited remotely without any need for physical access. Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security flaw, the researchers said. The exploit doesn’t appear to have been exploited in the wild, noting that the potential danger is severe.
The researchers demonstrated the vulnerabilities on a Cisco ASR 1001-X router, but they believe that the exploit impacts a number of other systems that also feature TAm implementations. Since there are millions of Cisco units running FPGA-based TAm around the world, the range of affected devices is unthinkable.
The team privately reported their findings involving CVE-2019-1649 to Cisco in November last year. Details about their findings were partially made public after the company issued firmware patches addressing the serious flaws.