Thrangrycat flaw allows crooks to inject backdoor via Cisco devices

Recently discovered Thrangrycat flaw makes millions of Cisco devices insecure

Cisco reveals that Thrangrycat vulnerability that is found in the company's software can be misused for injecting a malicious backdoor via TAm

Recently, Red Ballon technology experts discovered a vulnerability named Thrangrycat^[1] or CVE-2019-1649. This type of flaw is affecting numerous Cisco devices having the TAm (Trust Anchor module) activated.^[2] The module has been included in a big variety of Cisco's products since 2013 to make sure that the produced hardware is unique and does not lack authenticity.

The vulnerability appears to be really dangerous as it can allow bad actors to inject malware-based components on some of Cisco's devices and products such as firewalls, switches, and routers. What is even more worrying is that these types of products are widely used in enterprises and government networks.

Unfortunately, experts have also discovered other flaws that allow making changes to the TAm via FPGA bitstream and inject malware:^[3]

The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA.

Attack demonstration by using the CVE-2019-1862 flaw

Even though Cisco released a report saying that exploiting the flaw and connecting to the targeted system requires leveled privileges, Red Balloon specialists have revealed that cybercriminals have the possibility of abusing the Thrangrycat flaw remotely. This can be done by connecting it together with other vulnerabilities which altogether could launch specific commands or even gain access to the targeted computer system.

In order to show how this type of attack works, the researchers used an RCE flaw, also known as CVE-2019-1862^[4] for the demonstration process. This vulnerability gives permission to a logged-in admin to execute specific commands through another machine on the Linux shell of the targeted device that includes root privileges. Once access is gained, the criminal can avoid the TAm module by using the Thrangrycat flaw and then inject the backdoor virus.

Cisco keeps updating all its products that are found to be vulnerable

Cisco revealed that no suspicious attacks were detected by using the two beforementioned flaws. However, once the flaws are being tested, numerous Cisco-based units that include an FPGA-related TAm all over the world are vulnerable and can easily be misused by bad actors to plant some malicious backdoor on the targeted system.

Talking about the affected products, Cisco claims to keep in touch with all users and perform regular updates if something new is discovered.^[5] Some good news is that all vulnerable products are included in the list provided by the company while others remain untouched and safe to use. The problem was provided to Cisco in November 2018 when Red Ballon Security reported it and more details will be provided in a conference in August, known as “Black Hat USA security”.