High-risk vulnerability in Cisco’s secure boot process impacts millions of devices

Red Balloon Security has discovered a high-risk vulnerability in Cisco’s secure boot process which impacts a wide range of Cisco products in use among enterprise and government networks, including routers, switches and firewalls.

The vulnerability, codenamed Thrangrycat, is caused by a series of hardware design flaws within Cisco’s Trust Anchor module. First commercially introduced in 2013, Cisco Trust Anchor module (TAm) is a proprietary hardware security module that is used in a wide range of Cisco products, including enterprise routers, switches and firewalls. TAm is the root of trust that underpins all other Cisco security and trustworthy computing mechanisms in these devices.

The Thrangrycat vulnerability allows an attacker to make persistent modification to the Trust Anchor module via remote exploitation, thereby defeating the secure boot process and invalidating Cisco’s chain of trust at its root.

While the flaws are based in hardware, Thrangrycat can be exploited remotely without any need for physical access. Since the Thrangrycat flaws reside within the hardware design, Red Balloon Security researchers believe it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.

“This is a significant security weakness which potentially exposes a large number of corporate, government and even military networks to remote attacks,” said Dr. Ang Cui, founder and chief scientist of Red Balloon Security. “We’re talking about tens of millions of devices potentially affected by this vulnerability, many of them located inside of sensitive networks. These Cisco products form the backbone of secure communications for these organizations, and yet we can exploit them to permanently own their networks. Fixing this problem isn’t easy, because to truly remediate it requires a physical replacement of the chip at the heart of the Trust Anchor system. A firmware patch will help to offset the risks, but it won’t completely eliminate them. This is the real danger, and it will be difficult for companies, financial institutions and government agencies to properly address this problem.”

Thrangrycat is remotely exploitable

The vulnerability is remotely exploitable and provides attackers with a backdoor into secure networks, allowing them to bypass cybersecurity defenses in order to gain full and persistent access inside the network.

An attacker could remotely exploit this vulnerability to intercept communications, steal or manipulate data, install stealthy implants and carry out further attacks on other connected devices. Red Balloon Security researchers have demonstrated physical destruction of Cisco routers by leveraging Thrangrycat via remote exploitation.

What can you do?

Red Balloon Security has been working closely with Cisco’s Product Security Incident Response Team (PSIRT) to address this vulnerability.

Cisco is in the process of developing and releasing software fixes for all affected platforms. In most cases, the fix will require an on-premise reprogramming of a low-level hardware component that is required for normal device operation.

Firmware fixes are already available for Cisco ASA 5500-X Series with FirePOWER Services and Cisco Firepower 2100, 4000 and 9000 Series security devices. Other security updates – and there will be many – are scheduled to be released in the next three months (June-August 2019).