Red Balloon Security has found a high-risk flaw in Cisco’s secure boot process which affects a broad range of Cisco products including routers, switches and firewalls.
Codenamed Thrangrycat, the flaw is caused by a string of hardware design faults within Cisco’s Trust Anchor module. Cisco Trust Anchor module, introduced in 2013, is a registered hardware security module that is used in an extensive range of Cisco products, including enterprise routers, switches and firewalls.
The Thrangrycat susceptibility enables an invader to make tenacious alteration to the Trust Anchor unit through distant manipulation, thereby beating the secure boot procedure and overturning Cisco’s chain of trust at its root.
While the faults are based in hardware, Thrangrycat can be exploited remotely without any need for physical access. Since the Thrangrycat flaws reside within the hardware design, it is believed it is improbable that any software security patch will completely resolve the vital security susceptibility.
“This is a significant security weakness which potentially exposes a large number of corporate, government and even military networks to remote attacks,” said Dr. Ang Cui, founder and chief scientist of Red Balloon Security. “We’re talking about tens of millions of devices potentially affected by this vulnerability, many of them located inside of sensitive networks. These Cisco products form the backbone of secure communications for these organizations, and yet we can exploit them to permanently own their networks. Fixing this problem isn’t easy, because to truly remediate it requires a physical replacement of the chip at the heart of the Trust Anchor system. A firmware patch will help to offset the risks, but it won’t completely eliminate them. This is the real danger, and it will be difficult for companies, financial institutions and government agencies to properly address this problem.”
Remotely exploitable, the flaw provides invaders with a backdoor into secure networks, allowing them to avoid cybersecurity defenses in order to gain complete and tenacious access inside the network.
An invader could remotely exploit this flaw to interrupt communications, steal or manipulate data, install furtive implants and conduct further attacks on other linked devices. Red Balloon Security researchers have established physical obliteration of Cisco routers by leveraging Thrangrycat via remote exploitation.
What can be done?
Cisco is in the process of developing and releasing software solutions for all impacted platforms. In most situations, the solution will need an on-premise reprogramming of a low-level hardware module that is required for normal device operation.