Cisco Vulnerability: Exposes Enterprise Routers to Remote Hacking (May 14, 2019)
Two vulnerabilities have been discovered in Cisco’s most popular enterprise routers. The vulnerability can be exploited by actor to remotely control Cisco’s enterprise 1001-X kit, can be exploited by the two interoperating vulnerabilities. The first vulnerability is in Cisco’s IOS XE operating system, allowing hackers to gain root access to a device remotely, and the second vulnerability, called “Thrangrycat,” allows actors to bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The TAm is a core security provision in nearly every Cisco product, and attackers can quietly assume control of a device and into a network, while the device continues to report itself as “trustworthy.” Red Balloon Security provided a summary report on the vulnerabilities, and stated that “since the flaws reside within the hardware design, it is unlikely that any software patch will fully resolve the fundamental security vulnerability.” Cisco is currently working on a software fix for all the affected products and of those that are vulnerable, some have estimated patch dates as far away as October 2019. According to Cisco, customers will in most cases have to perform a physical, on-prem repair when the relevant patch is released.
Recommendation: Users and administrators of Cisco products should carefully review what products are reported to be affected by the Thrangrycat vulnerability, listed here: https://thrangrycat.com/. Furthermore, maintain software update policies so your company can apply the necessary security patches when they are issued.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.