Thrangrycat security flaw uncovered in Cisco routers, firewalls and switches

'Thrangrycat' enables attackers to circumvent Cisco Trust Anchor module and perform remote code injection exploiting another root execution flaw

Cisco router, firewall and switch users have been warned about a vulnerability, dubbed 'Thrangrycat', affecting the devices' Trust Anchor module.

Identified by researchers at Red Balloon Security, it enables attackers to hijack vulnerable devices over the internet.

The Thrangrycat vulnerability, indexed as CVE-2019-1649, affects a variety of Cisco devices, including enterprise routers, firewalls and switches.

It is caused by design flaws within the Cisco's Trust Anchor module, a proprietary security chip first introduced by the company in 2013. The primary job of the module is to cryptographically authenticate that the bootloader executing on Cisco gear is trustworthy.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

Thrangrycat enables hackers to first circumvent the Cisco Trust Anchor module and then carry out a remote code injection attack using another root execution flaw (CVE-2019-1862). It enables attackers to overcome the secure boot process and overturn Cisco's chain of trust at its root.

Using the flaws, hackers can remotely install secretive implants, intercept private communications, steal data, and even execute further attacks on other attached devices.

Thrangrycat enables hackers to first circumvent the Cisco Trust Anchor module and then carry out a remote code injection attack

Researchers at Red Balloon Security claim to have demonstrated remote exploitation of Thrangrycat to destruct Cisco ASR 1001-X routers. They attacked the module by manipulating the Field Programmable Gate Array (FPGA) bitstream. While researchers tested the vulnerability only with Cisco ASR 1001-X routers, all Cisco devices running FPGA-based TAm are vulnerable, according to them.

Cisco has released a patch to resolve the vulnerability, although Red Balloon Security researchers believe that no software patch can fully fix the fundamental security vulnerability.

Fixing the issue completely will be difficult as it will require physically replacing the Trust Anchor module chip in every device

Dr Ang Cui, founder of Red Balloon Security, said that the Thrangrycat vulnerability potentially affects millions of devices around the world, many of them located within sensitive networks. Fixing the issue completely will be difficult as it will require physically replacing the Trust Anchor module chip in every device.

A software patch could help mitigate the risks to some extent, but it is unlikely to fully eliminate them, according to Cui.

"This is the real danger, and it will be difficult for companies, financial institutions and government agencies to properly address this problem," Cui added.

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.