Researchers have discovered a severe vulnerability in Cisco products that could allow attackers to implant persistent backdoor on wide range devices used in enterprises and government networks, including routers, switches, and firewalls.
Dubbed Thrangrycat or 😾😾😾, the vulnerability, discovered by researchers from the security firm Red Balloon and identified as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm).
Trust Anchor module (TAm) is a hardware-based Secure Boot functionality implemented in almost all of Cisco enterprise devices since 2013 that ensures the firmware running on hardware platforms is authentic and unmodified.
However, researchers found a series of hardware design flaws that could allow an authenticated attacker to make the persistent modification to the Trust Anchor module via FPGA bitstream modification and load the malicious bootloader.
“An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory. Elements of this bitstream can be modified to disable critical functionality in the TAm,” researchers said.
“Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.”
Chaining With Remote Bugs: No Physical Access Required
Since the vulnerability exploitation requires root privileges, an advisory released by Cisco stressed that only a local attacker with physical access to the targeted system could write a modified firmware image to the component.
However, Red Balloon researchers explained that attackers could also exploit the Thrangrycat vulnerability remotely by chaining it together with other flaws that could allow them to gain root access or, at least, execute commands as root.
To demonstrated this attack, researchers revealed an RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS operating system that allows a logged-in administrator to remotely execute arbitrary commands on the underlying Linux shell of an affected device with root privileges.