Delaware, USA – May 15, 2019 – The discovered vulnerability allows attackers to inject persistent backdoor into millions of devices used all over the world. Vulnerability ThrAngryCats affects all devices with a Trust Anchor module, and this is more than 100 Cisco product families released by the company since 2013, including network switches, routers, and firewalls. This module is a hardware-based component that checks the Cisco hardware and implements additional security services. Researchers at Red Balloon Security, Inc. have also discovered an RCE vulnerability in the web-based user interface of Cisco’s IOS operating system. The exploitation of ThrAngryCats, together with the uncovered RCE vulnerability allows adversaries to remotely connect to the device with admin rights and bypass Cisco’s secure boot mechanism to install a backdoor. “An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory. Elements of this bitstream can be modified to disable critical functionality in the TAm,” Red Balloon researchers said.
The flaws reside within the hardware design, and it is unlikely that security patch will fully resolve the fundamental security vulnerability. Cisco was informed about them in late 2018 and recently started to issue firmware patches to fix both flaws. Now hundreds of millions of vulnerable Cisco devices are used in corporate networks around the world. The company said that they didn’t record exploitation of these vulnerabilities in the wild, but the possibility of infection and control of routers of enterprises and government entities can attract many advanced threat actors. It is necessary to update the firmware on vulnerable devices used in your organization as soon as possible. Also, you can use the Netflow Security Monitor rule pack for your SIEM to enable quick decisions on network data flows, suspicious traffic spikes and deviations: https://my.socprime.com/en/integrations/netflow-security-monitor-arcsight