Red Balloon Security announced that it has found a bug in Cisco's secure boot process that could have a huge impact on the networking giant's customers.
Given the number of routers, switches and firewalls that Cisco has deployed globally, Red Balloon Security said the critical vulnerability could affect service providers, government networks and enterprises on a massive scale.
The bug, which is code named "Thrangrycat," was caused by design flaws within Cisco's Trust Anchor module. The Trust Anchor is a security feature that Cisco has used across its enterprise routers, switches and firewalls since it was first introduced in 2013.
The Trust Anchor is a "secure enclave" within motherboards, separate from a device's memory or a discrete chip. In theory, users and administrators aren’t able to make changes over the Trust Anchor because it serves as the underpinning security and trustworthy computing mechanisms in devices.
The Thrangrycat vulnerability allows an attacker to make persistent modifications to the Trust Anchor module via remote explotations without the need for physical access. Thrangrycat can defeat the secure boot process and invalidates Cisco's chain of trust at its very core, according to Red Balloon.
Red Balloon said it tested Cisco 1001-X routers, and found that its employees could not only compromise the secure boot process, but also that the Trust Anchor still reported that the device was trustworthy.
Red Balloon Security researchers have demonstrated physical destruction of Cisco routers by leveraging Thrangrycat via remote exploitation, according to the company. The company also said it found a bug in Cisco's IOS operating system. On Monday, Cisco announced a patch for some of the issues that the Red Balloon researchers discovered.
“Cisco is committed to transparency," a Cisco spokesperson wrote in an email to FierceTelecom. "When security issues arise, we handle them openly and as a matter of top priority, so our customers understand the issue and how to address it. On May 13, Cisco published a security advisory about a vulnerability in the logic handling access control to one of the hardware components on Cisco's proprietary Secure Boot implementation.
"Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory. Cisco will release fixes for this vulnerability. Customers should review the advisory for complete detail to assess and protect their networks."
Since the Thrangrycat flaws reside within the hardware design, Red Balloon said it was unlikely that a software security patch would fully resolve the fundamental security issue.
“This is a significant security weakness which potentially exposes a large number of corporate, government and even military networks to remote attacks,” said Dr. Ang Cui, founder and chief scientist of Red Balloon Security, in a statement. “We’re talking about tens of millions of devices potentially affected by this vulnerability, many of them located inside of sensitive networks. These Cisco products form the backbone of secure communications for these organizations, and yet we can exploit them to permanently own their networks."
Cui added, "Fixing this problem isn’t easy, because to truly remediate it requires a physical replacement of the chip at the heart of the Trust Anchor system. A firmware patch will help to offset the risks, but it won’t completely eliminate them. This is the real danger, and it will be difficult for companies, financial institutions and government agencies to properly address this problem.”