Thrangrycat: a critical vulnerability in the firmware of Cisco devices allows hackers to install backdoors on them

Information security researchers have discovered a dangerous vulnerability in the firmware that is used on various types of Cisco devices. Error CVE-2019-1649 or Thrangrycat allows attackers to install backdoors on routers, switches and firewalls.

What is the problem

Vulnerable Cisco products that support the Trust Anchor module (TAm) feature, which is used to boot devices in a secure mode (Secure Boot) - since 2013 it has been included in the firmware of almost all enteprise-level devices.
')
The researchers found a number of design flaws in the firmware. As a result, an attacker can make changes to the Trust Anchor module through a modification of the FPGA bitstream, which is not protected and stored in flash memory, and download a malicious loader.

To conduct an attack, the attacker needs to get root-rights on the device. Therefore, in a security bulletin, Cisco experts noted that local access to equipment is also required. However, the researchers who discovered the Thrangrycat vulnerability, on a site dedicated to it, explained that remote operation is also possible - for this, the hacker can first use the RCE vulnerability of the web interface of the Cisco IOS operating system CVE-2019-1862.

This error allows the administrator to execute random commands in the Linux shell with root-rights. Therefore, using it first, then the cracker, nothing prevents the exploit and vulnerability Thrangrycat.

How to protect

Since TAm is a module that is used directly in the firmware of "iron", then fix the fundamental security problem with an ordinary patch will not work. The Cisco bulletin says that the company plans to release patches for the firmware.

An example of the Thrangrycat vulnerability demonstrates that the “security through obscurity” approach, which is used by many hardware developers, jeopardizes the security of end users. Security experts have been criticizing this practice for years, but this does not prevent large electronics manufacturers, under the pretext of protecting intellectual property, from demanding the signing of non-disclosure agreements to obtain technical documentation. The situation is worsening due to the increasing complexity of microcircuits and the integration of various proprietary firmware into them. This actually makes it impossible to analyze such platforms for independent researchers, which puts at risk both ordinary users and equipment manufacturers.

In addition to Cisco, an example of possible side effects of the principle of "security through obscurity" is the Intel Management Engine (Intel ME) technology, as well as its versions for server (Intel SPS) and mobile (Intel TXE) platforms.

On Thursday, May 16, Positive Technologies researchers Maxim Goryachiy and Mark Yermolov will tell how using undocumented commands can overwrite SPI flash memory and implement local exploitation of vulnerabilities in Intel ME (INTEL-SA-00086).

Participation in the webinar is free, registration is required.