CVE-2019-1649: Cisco Secure Boot Hardware Tampering Vulnerability Alert

Red Balloon Security, Inc recently released a report on two vulnerabilities in Cisco products. “The first vulnerability, called Thrangrycat, allows an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second is a remote command injection vulnerability against Cisco IOS XE version 16 that allows remote code execution as root. By chaining the Thrangrycat and remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.”

The report states that Thrangrycat was caused by a series of hardware design flaws in the Cisco Trust Anchor module. The Cisco Trust Anchor module (TAm, Trust Anchor) was first commercialized in 2013 and is a proprietary hardware security module for each A variety of Cisco products, including enterprise routers, switches, and firewalls.

TAm is a hardware device specially designed to verify the safe boot process. When the system is turned on, it executes a series of instructions to immediately verify the integrity of the boot loader. Once any fault is detected, the user will be notified and restarted. To prevent the device from executing the tampered boot loader.

“Thrangrycat allows an attacker to make persistent modification to the Trust Anchor module via FPGA bitstream modification, thereby defeating the secure boot process and invalidating Cisco’s chain of trust at its root. While the flaws are based in hardware, Thrangrycat can be exploited remotely without any need for physical access. Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.”

Red Balloon Security notified Cisco in November last year, and Cisco also issued a security advisory on the same day. A total of more than 130 products were affected by the list of products listed by Cisco. Red Balloon Security is also preparing to showcase this at the BlackHat USA 2019 in August.

Currently, Cisco is continuing to release software updates for this vulnerability.