SPOT Report – Cisco – Thrangrycat

By Samuel Harris, 

Overview

On May 13th, 2019 security company Red Balloon Security released a vulnerability called 😾😾😾, also being deemed Thrangrycat, that impacts multiple Cisco devices at a hardware level within Cisco’s Trust Anchor Module.

Cisco’s Trusted Anchor Module (TAm) is a root of trust for Cisco’s secure boot process in which, upon booting the system, verifies the bootloader to ensure it’s integrity has not been compromised. If the bootloader is deemed to be compromised then the TAm notifies the user and reboots; stopping the compromised bootloader from running.

This same team also discovered vulnerability CVE-2019-1862 which allows a remote code execution flaw in the web interface on Cisco IOS XE software that runs on Cisco devices. This vulnerability allows an attacker to gain root access on Cisco routers.

Combining the Thrangrycat and CVE-2019-1862 is allowing attacker to modify Cisco firmware and create persistent backdoors on devices.

Red Balloon Security privately disclosed the vulnerability on November 8th, 2018 and has worked directly with Cisco PSIRT to coordinate a public disclosure when ready.

Potential Impact

This particular vulnerability requires an attacker to have root privileges, allowing them to gain access to modify the FPGA anchor stream that is stored in unprotected flash memory. By modifying the FPGA anchor stream an attacker is able to disable a critical functionality within the TAm. By altering the anchor stream and disabling the TAm the attacker is able to successfully gain persistent access on the impacted Cisco Device upon subsequent reboots, and could potentially lock out any updates to the TAm to resolve the issue. Under normal circumstances, most devices will be safe.

A list of impacted devices can be found on Cisco’s website and their security advisory for this specific vulnerability:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

Mitigation

Cisco has recently released an update for this particular vulnerability in the following security advisory:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

However, it is believed that since this is a hardware based vulnerability, it will be difficult to fully mitigate unless the hardware design is completely overhauled.

Detection

Qualys and Tenable have not yet released detections for CVE-2019-1649 as of this writing.
If you are Vulnerability Management customer with Deepwatch, your vulnerability management SME will communicate with you in regards to which assets are considered vulnerable to you in your environment.

Managing Risk

It is recommended to keep any impacted hardware up-to-date with patches in order to mitigate the vulnerability.

Contributors

Samuel Harris – Vulnerability Management Practice Lead
Kate Boucher – Vulnerability Management Subject Matter Expert
Jen O’Neil – Vulnerability Management Subject Matter Expert

Supporting Information

• https://www.wired.com/story/cisco-router-bug-secure-boot-trust-anchor/
• https://thrangrycat.com/
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot