Two serious vulnerabilities have been found in one of Cisco's most ubiquitous enterprise routers that enable hackers to remotely control Cisco's enterprise-grade 1001-X kit.
According to Red Balloon Security, a group known for exposing vulnerabilities in Cisco products, the security flaw can be exploited by two interoperating vulnerabilities.
The first is a flaw in Cisco's IOS XE operating system. The vulnerability allows hackers to gain root access to a device remotely - this isn't uncommon, but it's still worrying.
The second and more damning flaw is called Thrangrycat, a vulnerability that allows hackers to bypass Cisco's Trust Anchor Module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation.
Combining the two vulnerabilities together gives the attacker the chance to control the router and persistently block updates to the TAm which could act as a gateway to an attack on an entire network.
There is huge worry about the ramifications of the findings because the TAm is the core security provision in nearly every Cisco product. Attackers can quietly assume control of a device that can act as a portal to the network and do so while the device continues to report itself as 'trustworthy'.
In a summary report issued by Red Balloon Security, the researchers say that "since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability."
"Make no mistake, the vulnerabilities have the potential to disrupt global internet traffic and the recent disclosures of Cisco 1001-X router bugs have short and long term ramifications," Sam Curry, chief security officer at Cybereason. "The second vulnerability is analogous to a bank leaving their vault doors open with all the security guards on lunch break creating a free-for-all."
"The troubling news is that researchers are reporting that Cisco's Trust Anchor security feature has been compromised," he added. "It is essentially the security stamp that Cisco puts on hundreds of millions of products. If the hackers can bypass this security feature, consider that there are at least 6 years of routers out there potentially affected, all eyes are on Cisco for what their response will be."
Red Balloon researchers have said that a simple software patch probably won't be sufficient to protect against the threat they uncovered. They said that an absolute workaround would be to implement an FPGA with an encrypted bitstream to all future products. It would be more financially and computationally demanding but would offer protection from this type of attack.
Cisco has said that it's currently working on a software fix for all the affected products and of those that are vulnerable, some have estimated patch dates as far away as October 2019.
It said that in most cases, customers will have to perform a physical, on-prem repair to some low-level hardware when the relevant patch is released. It warns that a failure during this process can lead to total hardware failure, requiring the customer to purchase a replacement.
There is currently no evidence to suggest that the proof of concept code provided by Red Balloon to Cisco has been made available in the wild.
Cisco claimed to have successfully patched remote-code execution and information disclosure bugs found in its SMB routers, but in March it was found the company did so erroneously.
