Millions of Cisco Routers Are Vulnerable to Persistent Shutdown Trust Anchor

Spread the love

Security researchers have identified two serious vulnerabilities in Cisco routers and named them Thrangrycat. With the vulnerabilities, the Trust Anchor security can be permanently disabled.

Red Balloon Security found the vulnerabilities in the Cisco products. The researchers describe Thrangrycat, or ???, on a specially made page. The two vulnerabilities have been deployed in combination, and the most serious concerns Cisco’s Trust Anchor security module, or TAm. The researchers have shown that they can circumvent that security in a Cisco ASR 1001-X router, but believe that TAm implementations in other Cisco products are also vulnerable.

Cisco has been using the Trust Anchor module since 2013 in switches, routers and firewalls, among other things, with which a vulnerability in the module affects millions of devices in use. Trust Anchor is the hardware that validates the integrity of the firmware on Cisco products and thus forms the basis for the Secure Boot initiation procedure. The researchers describe that an fpga at Trust Anchor loads an unencrypted bitstream from a serial peripheral interface or spi flash chip on startup. If the fpga detects that the pre-boot environment is out of order, it will activate the processor’s reset pin for a reboot.

The first step to a successful Thrangrycat attack involves exploiting a command injection vulnerability in version 16 of Cisco IOS XE. This step enables remote code execution with root. This allows step two to follow; root privilege allows the attacker to modify the contents of the fpga bitstream, which is unencrypted. As a result, critical functions of the TAm can be disabled and those adjustments can be permanent. Even after a restart, the protection of the TAm remains disabled. The changes in the bitstream may prevent Cisco from making software updates.

Cisco has announced a patch for the vulnerability in IOS and has prepared a list of vulnerable products. For some products the fixes will come in May, but most products will only get them after months, until November. In the meantime, there are no work-arounds according to Cisco. Moreover, the patches are not easy to implement. “In most cases, the fix requires on-site reprogramming of a low-level hardware component required for normal operation of the device.”

You might also like