Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch SecOps Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
05.15.19

SPOT Report – Cisco – Thrangrycat

By Samuel Harris, 

Overview

On May 13th, 2019 security company Red Balloon Security released a vulnerability called 😾😾😾, also being deemed Thrangrycat, that impacts multiple Cisco devices at a hardware level within Cisco’s Trust Anchor Module.

Cisco’s Trusted Anchor Module (TAm) is a root of trust for Cisco’s secure boot process in which, upon booting the system, verifies the bootloader to ensure it’s integrity has not been compromised. If the bootloader is deemed to be compromised then the TAm notifies the user and reboots; stopping the compromised bootloader from running.

This same team also discovered vulnerability CVE-2019-1862 which allows a remote code execution flaw in the web interface on Cisco IOS XE software that runs on Cisco devices. This vulnerability allows an attacker to gain root access on Cisco routers.

Combining the Thrangrycat and CVE-2019-1862 is allowing attacker to modify Cisco firmware and create persistent backdoors on devices.

Red Balloon Security privately disclosed the vulnerability on November 8th, 2018 and has worked directly with Cisco PSIRT to coordinate a public disclosure when ready.

Potential Impact

This particular vulnerability requires an attacker to have root privileges, allowing them to gain access to modify the FPGA anchor stream that is stored in unprotected flash memory. By modifying the FPGA anchor stream an attacker is able to disable a critical functionality within the TAm. By altering the anchor stream and disabling the TAm the attacker is able to successfully gain persistent access on the impacted Cisco Device upon subsequent reboots, and could potentially lock out any updates to the TAm to resolve the issue. Under normal circumstances, most devices will be safe.

A list of impacted devices can be found on Cisco’s website and their security advisory for this specific vulnerability:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

Mitigation

Cisco has recently released an update for this particular vulnerability in the following security advisory:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

However, it is believed that since this is a hardware based vulnerability, it will be difficult to fully mitigate unless the hardware design is completely overhauled.

Detection

Qualys and Tenable have not yet released detections for CVE-2019-1649 as of this writing.
If you are Vulnerability Management customer with Deepwatch, your vulnerability management SME will communicate with you in regards to which assets are considered vulnerable to you in your environment.

Managing Risk

It is recommended to keep any impacted hardware up-to-date with patches in order to mitigate the vulnerability.

Contributors

Samuel Harris – Vulnerability Management Practice Lead
Kate Boucher – Vulnerability Management Subject Matter Expert
Jen O’Neil – Vulnerability Management Subject Matter Expert

Supporting Information

  • https://www.wired.com/story/cisco-router-bug-secure-boot-trust-anchor/
  • https://thrangrycat.com/
  • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Profile of an Adversary – FIN7

Next post

SPOT Report – Patch Tuesday Vulnerabilities

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch SecOps Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy