It's 2019 so now security vulnerabilities are branded using emojis: Meet Thrangrycat, a Cisco router secure boot flaw Security weaknesses at the heart of some of Cisco's network routers, switches, and firewalls can be exploited by hackers to hide spyware deep inside compromised equipment. In order to exploit these flaws, dubbed 😾😾😾 or Thrangrycat by their discoverers, a miscreant or rogue employee needs to be able to log into the vulnerable …
Snowden's data dump showed that the NSA likes intercepting shipments to some clients to install backdoors.
I would say this flay perfectly fits their modus operandi. I'm not saying they encouraged cisco to set things up like this, but I'd be surprised if they hadn't already found this situation...
Yes this 'flaw' does seem to fit very nicely with the previously disclosed Photos of an NSA “upgrade” factory show Cisco router getting implant
Only issue is that the photo disclosure dates the activities as happening in 2010, according to Thrangrycat/Red Balloon their discovery exploits a feature introduced in 2013...
However, the publication of Glenn Greenwald's book in 2014 and an associated trove of papers might not be unrelated...
That is what I've been thinking. If it was insecure, wouldn't they be throwing out piles and piles of CVEs and proof-of-concept exploits? Yet they seem to have left all their proof in their other pants or something.
Dear America,
CVEs or it didn't happen
-Signed, everyone tired of your bullshit lies.
Because at this point, given the sheer number of security bugs reports I keep seeing, it seems that Cisco is the insecure one...
"Choosing <El reg doesn't support emojis in comments?> instead of a name rooted in any one language ensures that the technical contents of our research can be discussed democratically and without latent cultural or linguistic bias." (but against our feline overlords, IMHO)
"There is no phonetic transcription for this specific sequence of repeated emojis"
Let me know how I can discuss something that can't be pronounced in any language... some people still talk face to face, not only messaging each other....
Privilege escalation may also be possible from CLI, depending on IOS XE version. See https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xecmd
Same basic attack vector - go in as admin via web or CLI, escalate privileges, plant yourself in the TAm.
Kudos to your spot-on reporting, vultures. A quick web search shows a bunch of hastily written stories by other tech rags that are anywhere from plain wrong to misleading to incomplete, and that includes ZDNet, who warn that “an attacker located anywhere on the internet can take over devices.” A little too breathless. For some value of “attacker”, sure. The one with access to your internal network and authenticated admin access to your gear.
Whilst the admin access requirement has already been noted, this makes this a lot worse by extending the window of opportunity.
Someone who only has access to the devices for a short period of time can compromise them forever, not just the duration of their (legitimate) access.
My world just got a lot more complicated. If this starts getting exploited I can see people switching to more secure Chinese kit :)
>Someone who only has access to the devices for a short period of time can compromise them forever, not just the duration of their (legitimate) or illegitimate access.
Remember Cisco, like most vendors ship product with well-known default admin credentials eg. admin/admin. Someone who only has access to the devices for a short period of time can compromise them forever, not just the duration of their (legitimate) access - perfect for spook delivery intercept access.
This post has been deleted by its author
Yup, Cisco have them, Huawei have them, in fact if someone ever produced a totally bug free piece of software, I'd be amazed. Yet for some reason when it's Huawei it's headlines and calls for the Chinese Satan to be boycotted, yet when it's Cisco it's swept under the carpet. Do Trump/Pompeo not realise just how completely transparent their pathetic attempts are? They are more likely to push us into the arms of the Chinese than the other way around.
Sure, there are defects everywhere. The NXP i.MX chips were shipping with a flaw that allowed a similar exploit. The i.MX chips have two modes for their secure firmware: signed or encrypted. The flaw for signed mode was giving it munged signing certificates, and then the checks would be aborted due to a stack overflow. The flaw for the encrypted mode was simply a malicious encrypted update of the same size. Otherwise, the modes worked just as intended...
All that said, the i.MX chips have the right idea. Certificates are generated, and then a hash of the public keys are burned into PROM ("e-fuses"). The ROM checks the boot loader for its signature, and then allows it to execute. Once the trusted boot loader is running, it can check the Linux kernel for integrity, and then allow it to boot. After that, of course all bets are off.
From a US perspective it does make sense. They known the can control Cisco but not Huawei. From a Chinese perspective it's the other way round (although China can probably compromise more Cisco hardware made in China than US can compromise Huawei hardware made in the US).
Everybody else should treat both of them as possible trojan horses.... Europe should bet on Nokia/Ericcson/Alcatel....
Getting admin access: We see these vulnerabilities not just in Cisco but in other equipment too. So that is not a challenge.
Essentially Cisco did the "CHEAP" and easy thing: store supposedly "trusted code" on SPI flash. That is a no-no from so many different perspectives that I can't believe that it wasn't flagged. Probably overridden by management because they believed "no one will be able to do it as it is so hard".
This sort of mistake is so easy to overcome; I bet the basic patents have all expired if they want to save money. You can get a $1 ARM MCU that has TrustZone or an $1.50 ECC 608.
I wonder. In the human world, very sensitive activities need to be carried out by multiple people at once. For example, the nuclear launchers 2 key systems. Or multiple signatures on large bank withdrawals.
Has there ever been any thought on using something like a 2nd auth on computer systems in cases of extreme sensitivity? Like, gee, modifying a trust module’s settings? Possibly even a physical jumper?
I know, most likely unproductive and impractical. But just curious if any theoretical work’s been done.
BTW I agree that the article makes it clear you’re already on a root-compromised system. But the ability to go dark, in such a system-supported way, from the initial breach is something extra problematic.
Or, the original method: No software-updatable firmware, your code is located on wide DIP-chips that fit into a socket. If you wanted to change the firmware, you had to crack the thing open. Maybe we should return to that model for security-sensitive components.
Having to ship a physical piece of silicon and then convince someone to stick it in their equipment is a pretty big barrier to attackers and malware versus the current model f just a few bits across the wire. Sure, its expensive, but you know what is less expensive? Properly testing security-senstive shit before shipping it rather than relying on "We can just patch it later".
Having to ship a physical piece of silicon and then convince someone to stick it in their equipment is a pretty big barrier to attackers and malware versus the current model
It isn't the big barrier you believe it to be, trust me. In fact, I'd say it's probably easier to carry out than exploiting this vuln.
Depressing, but proven true repeatedly.
First off, why should I trust an Anonymous Coward that has provided precisely zero citations for their claims?
But secondly, pray tell, -how- is it easier? The vulnerability could be exploited by a simple bit of malware on a network admin's computer that waits for them to connect to the Cisco UI.
Whereas I imagined that if there was a vulnerability in a security-sensitive chunk of code that the manufacturer would send out an announcement to affect customers and/or news sites. The affected customer would then enter their serial number onto a page to request the updated chip, when the chip is shipped, they get a tracking number. Exploiting this method would require somehow waylaying the shipment and replacing it without the shipping agency getting wise. The package itself could also contain a number of anti-tampering measures. They could even etch the serial number of the system the chip is intended for onto the chip (Which would require the malicious actor to already know the serial number). Most systems will also output the signature of the various add-in ROMs the BIOS hand execution off to, which can be done here. Maybe include something in the BIOS that if BIOS signatures change, it notifies the operator. So that post-install, a message pops up and gives a sha256 and crc checksums or something, which can be matched with data sent by manufacturer in an email or posted on their website.
At the very least, requiring a physical item to be replaced would generate all sorts of change management procedures, downtime to be scheduled, etc,. Someone is going to notice a piece of equipment being taken down while no one is going to notice that some hidden bit of software has been modified.
Putting it in something that can be reprogrammed is stupid. They should have a simple ROM that loads the "secure bootloader" code off flash, which has been encrypted with a private key that you keep secure and decrypted with a public key that's kept in the ROM. That way the secure bootloader code can be changed if necessary - but it should be done only to fix a bug or correct a security issue, "features" are for the full OS the bootloader loads. Better yet - have several public keys installed in the ROM, in case one of your private keys leaks and you have to stop using it for bootloader firmware updates.
Use of an FPGA here is strange, is it because they already have other FPGA resources in the router and can devote a little corner to this? It isn't like a bootloader benefits from running in "hardware" (if you can call an FPGA that) versus a little ARM or RISCV core.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
