Thrangrycat: critical vulnerability in Cisco device firmware allows hackers to install backdoors on them

Information security researchers have discovered a dangerous vulnerability in the firmware that is used on various types of Cisco devices. Error CVE-2019-1649 or Thrangrycat allows attackers to install backdoors on routers, switches, and firewalls.

What is the problem

Cisco products that support the Trust Anchor module (TAm) function, which is used to boot devices in safe mode (Secure Boot), are vulnerable - since 2013 it has been included in the firmware of almost all enteprise-level devices.

Researchers managed to detect a number of design flaws in the firmware. As a result, an attacker can make changes to the Trust Anchor module through a modification of the FPGA bitstream, which is in no way protected and stored in flash memory, and download a malicious bootloader.

To conduct an attack, an attacker needs to gain root privileges on the device. Therefore, Cisco experts noted in the security bulletin that local access to the equipment is also required. However, researchers who discovered the Thrangrycat vulnerability explained on the site dedicated to it that remote exploitation is also possible - for this the hacker can first use the RCE vulnerability of the web interface of the Cisco IOS CVE-2019-1862 operating system.

This error allows the administrator to execute random commands in the Linux shell with root privileges. Therefore, using it first, then the cracker will not interfere with exploiting the Thrangrycat vulnerability.

How to protect yourself

Since TAm is a module that is used directly in firmware, it will not work to fix a fundamental security problem with an ordinary patch. The Cisco newsletter says the company plans to release patches for firmware.

An example of a Thrangrycat vulnerability demonstrates that the security through obscurity approach used by many hardware developers is endangering the security of end users. Information security specialists have been criticizing this practice for many years, however, this does not prevent large electronics manufacturers, on the pretext of protecting intellectual property, from demanding the signing of non-disclosure agreements to receive technical documentation. The situation is deteriorating due to the increasing complexity of microcircuits and the integration of various proprietary firmware in them. This actually makes it impossible to analyze such platforms for independent researchers, which puts both ordinary users and equipment manufacturers at risk.

In addition to Cisco, Intel Management Engine (Intel ME) technology and its versions for server (Intel SPS) and mobile (Intel TXE) platforms can serve as an example of possible side effects of the “security through obscurity” principle.

On Thursday, May 16, Positive Technologies researchers Maxim Goryachiy and Mark Ermolov will tell how using undocumented commands you can overwrite SPI flash memory and implement local vulnerability exploitation in Intel ME (INTEL-SA-00086).

Participation in the webinar is free, registration is required .