Two serious vulnerabilities have been found in one of Cisco's most ubiquitous enterprise routers that enable hackers to remotely control Cisco's enterprise-grade 1001-X kit.
According to Red Balloon Security, a group known for exposing vulnerabilities in Cisco products, the security flaw can be exploited by two interoperating vulnerabilities.
The first is a flaw in Cisco's IOS XE operating system. The vulnerability allows hackers to gain root access to a device remotely - this isn't uncommon, but it's still worrying.
The second and more damning flaw is called Thrangrycat, a vulnerability that allows hackers to bypass Cisco's Trust Anchor Module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation.
Combining the two vulnerabilities together gives the attacker the chance to control the router and persistently block updates to the TAm which could act as a gateway to an attack on an entire network.
There is huge worry about the ramifications of the findings because the TAm is the core security provision in nearly every Cisco product. Attackers can quietly assume control of a device that can act as a portal to the network and do so while the device continues to report itself as 'trustworthy'.
In a summary report issued by Red Balloon Security, the researchers say that "since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability."
"Make no mistake, the vulnerabilities have the potential to disrupt global internet traffic and the recent disclosures of Cisco 1001-X router bugs have short and long term ramifications," Sam Curry, chief security officer at Cybereason. "The second vulnerability is analogous to a bank leaving their vault doors open with all the security guards on lunch break creating a free-for-all."
"The troubling news is that researchers are reporting that Cisco's Trust Anchor security feature has been compromised," he added. "It is essentially the security stamp that Cisco puts on hundreds of millions of products. If the hackers can bypass this security feature, consider that there are at least 6 years of routers out there potentially affected, all eyes are on Cisco for what their response will be."
Red Balloon researchers have said that a simple software patch probably won't be sufficient to protect against the threat they uncovered. They said that an absolute workaround would be to implement an FPGA with an encrypted bitstream to all future products. It would be more financially and computationally demanding but would offer protection from this type of attack.
Cisco has said that it's currently working on a software fix for all the affected products and of those that are vulnerable, some have estimated patch dates as far away as October 2019.
It said that in most cases, customers will have to perform a physical, on-prem repair to some low-level hardware when the relevant patch is released. It warns that a failure during this process can lead to total hardware failure, requiring the customer to purchase a replacement.
There is currently no evidence to suggest that the proof of concept code provided by Red Balloon to Cisco has been made available in the wild.
Cisco claimed to have successfully patched remote-code execution and information disclosure bugs found in its SMB routers, but in March it was found the company did so erroneously.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
