Cisco has confirmed a vulnerability within the secure boot process of multiple Cisco hardware products including enterprise firewalls, routers and switches. The result of a whole series of design flaws, the Thrangrycat vulnerability impacts the Trust Anchor module (TAm) which effectively acts as the root of trust for all security mechanisms within those devices. Of most concern is the fact that at the time of writing there are "no workarounds available" according to the Cisco security advisory which rates Thrangrycat as high risk.
Researchers from Red Balloon found that by chaining the Thrangrycat vulnerability with another remote command injection vulnerability against Cisco IOS XE version 16, an attacker could "remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm." What's more, the researchers have found that although the flaws are hardware based, Thrangrycat can be "exploited remotely without any need for physical access" and as they reside in hardware design it's "unlikely that any software security patch will fully resolve the fundamental security vulnerability."
Sam Curry, chief security officer at Cybereason, told SC Media UK that "the vulnerabilities have the potential to disrupt global internet traffic." Describing the second vulnerability as being analogous to a bank leaving the vault doors open with all the security guards on lunch break, Curry warns that "anything that potentially can affect the large routers that move mega-traffic amongst the online retailers, banks, global stock exchanges, social media companies, the largest enterprises and the governments in the world is the ideal target for attackers."
Anjola Adeniyi, technical leader at Securonix, talking to SC Media UK, was quick to point out that while there have been "concerns about the likes of Huawei and Kaspersky, it's important to note that even trusted vendors can carry significant risks." The Huawei comparison has not escaped Igor Bailkalov, chief scientist at Securonix either. "They are vulnerabilities, right?" he says, continuing "they are backdoors in Huawei equipment, but in Cisco's they might even be design principles."
In conversation, Bailkalov added that the whole notion of having a dynamically programmable micro controller at the core of supposedly immutable trust module doesn't strike him as a secure design. "The fact that its function can be compromised, while the module still assures the victim that everything is alright, is terrifying" according to Bailkalov. He's scathing of the fact that Cisco doesn't appear to be planning an audit tool to help customers detect the compromise, "because these are not backdoors, those get you banned from the market, but these are just itsy-bitsy vulnerabilities that Cisco doesn't think nation-states can exploit, especially now that the details are made public, fixes are not ready yet and, when they are, it will take months and months of painstaking efforts to apply on-premise."
What can you do to mitigate the risk right now, if that 'architectural fix' isn't looking like being available any time soon, if ever? "This calls for new countermeasures and monitoring and establishing more defence-in-depth" Curry says, adding "if the hackers can bypass this (TAm) security feature, consider that there are at least six years of routers out there potentially affected, All eyes are on Cisco for what their response will be." Bailkalov concludes with more than a little sarcastic edge and not much confidence of a Cisco fix anytime soon, that "it's a good thing we don't have backdoors... Sleep well, Internet-connected world!"