Category Archives: Cisco

Thangrycat: A Serious Cisco Vulnerability

Summary:

Thangrycat is caused by a series of hardware design flaws within Cisco's Trust Anchor module. First commercially introduced in 2013, Cisco Trust Anchor module (TAm) is a proprietary hardware security module used in a wide range of Cisco products, including enterprise routers, switches and firewalls. TAm is the root of trust that underpins all other Cisco security and trustworthy computing mechanisms in these devices. Thangrycat allows an attacker to make persistent modification to the Trust Anchor module via FPGA bitstream modification, thereby defeating the secure boot process and invalidating Cisco's chain of trust at its root. While the flaws are based in hardware, Thangrycat can be exploited remotely without any need for physical access. Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.

From a news article:

Thrangrycat is awful for two reasons. First, if a hacker exploits this weakness, they can do whatever they want to your routers. Second, the attack can happen remotely ­ it's a software vulnerability. But the fix can only be applied at the hardware level. Like, physical router by physical router. In person. Yeesh.

That said, Thrangrycat only works once you have administrative access to the device. You need a two-step attack in order to get Thrangrycat working. Attack #1 gets you remote administrative access, Attack #2 is Thrangrycat. Attack #2 can't happen without Attack #1. Cisco can protect you from Attack #1 by sending out a software update. If your I.T. people have your systems well secured and are applying updates and patches consistently and you're not a regular target of nation-state actors, you're relatively safe from Attack #1, and therefore, pretty safe from Thrangrycat.

Unfortunately, Attack #1 is a garden variety vulnerability. Many systems don't even have administrative access configured correctly. There's opportunity for Thrangrycat to be exploited.

And from Boing Boing:

Thangrycat relies on attackers being able to run processes as the system's administrator, and Red Balloon, the security firm that disclosed the vulnerability, also revealed a defect that allows attackers to run code as admin.

It's tempting to dismiss the attack on the trusted computing module as a ho-hum flourish: after all, once an attacker has root on your system, all bets are off. But the promise of trusted computing is that computers will be able to detect and undo this kind of compromise, by using a separate, isolated computer to investigate and report on the state of the main system (Huang and Snowden call this an introspection engine). Once this system is compromised, it can be forced to give false reports on the state of the system: for example, it might report that its OS has been successfully updated to patch a vulnerability when really the update has just been thrown away.

As Charlie Warzel and Sarah Jeong discuss in the New York Times, this is an attack that can be executed remotely, but can only be detected by someone physically in the presence of the affected system (and only then after a very careful inspection, and there may still be no way to do anything about it apart from replacing the system or at least the compromised component).

The UK Government Huawei Dilemma and the Brexit Factor

In the last couple of days, Google announced it will be putting restrictions on Huawei’s access to its Android operating system, massively threatening Huawei's smartphone market. Meanwhile, UK based chip designer ARM has told its staff to suspend all business activities with Huawei, over fears it may impact ARM's trade within the United States.  Fuelling these company actions is the United States government's decision to ban US firms with working with Huawei over cybersecurity fears.

The headlines this week further ramps up the pressure on the UK government to follow suit, by implementing a similar ban on the use of Huawei smartphones and network devices within the UK, a step beyond their initial 5G critical infrastructure ban announced last month. But is this really about a foreign nation-state security threat? Or is it more about it geo-economics and international politicking?
Huawei: A Security Threat or an Economic Threat?

Huawei Backdoors
It’s no secret that Huawei was founded in 1987 by Ren Zhengfei, a former engineer in the People's Liberation Army, and the company was quickly built with the backing of major Chinese state and military contracts. But the US government, secret services and military are also known to invest heavily in Silicon Valley and US tech firms. In recent weeks there have been a number of accusations about deliberate backdoors placed within Huawei devices, implying the usage of Huawei devices could aid Chinese forces in conducting covert surveillance, and with potentially causing catastrophic impacting cyber attacks.
The reality is all software and IT hardware will have a history of exploitable vulnerabilities, and it is pretty much impossible to determine which could be intentionally placed covert backdoors, especially as an advanced and sophisticated nation-state actor would seek to obfuscate any deliberately placed backdoor as an unintentional vulnerability. 

For instance, the following are critical security vulnerabilities reported within tech made by US firms in just the last 9 days, no suggestion any of these are intentionally placed backdoors:
The more usual approach taken by nation-state intelligence and offensive cyber agencies is to invest in finding the unintentional backdoors already present in software and hardware. The discovery of new and completely unknown 'zero-day' security vulnerability is their primary aim. Non-published zero-days vulnerabilities are extremely valuable, clearly, a value lost if they were to inform the vendors about the vulnerability, as they would seek to quickly mitigate with a software patch.

For instance, the United States National Security Agency (NSA) found and exploited vulnerabilities in Windows without informing Microsoft for over five years, creating a specific hacking tool called EternalBlue, which is able to breach networks. The very same tool that was leaked and used within the devasting WannaCry ransomware attack last year. 

The WhatsApp vulnerability reported last week was another public example of this approach, where a private Israeli firm NSO Group found a serious vulnerability within WhatsAppBut instead of informing Facebook to fix it, NSO created a tool to exploit the vulnerability, which it sold to various governments. The ethics of that is a debate for another day.
The Laws which allows Nation-States to Conduct Cyber Surveillance
The United States has significant surveillance powers with the "Patriot Act", the Freedom Act and spying internationally with FISA. China has its equivalent surveillance powers publicly released called the "2017 National Intelligence Law". This law states Chinese organisations are "obliged to support, cooperate with, and collaborate with national intelligence work". But just like Apple, Microsoft and Google, Huawei has categorically said it would refuse to comply with any such government requests, in a letter in UK MPs in February 2019. Huawei also confirmed "no Chinese law obliges any company to install backdoors", a position they have backed up by an international law firm based in London. The letter went on to say that Huawei would refuse requests by the Chinese government to plant backdoors, eavesdropping or spyware on its telecommunications equipment.

The Brexit Factor
There is a lot of geo-politicking and international economics involved with Huawei situation, given the US government are aggressively acting to readdress their Chinese trade deficit. It appears to be more than just a coincidence, the United States government is choosing now to pile on the pressure on its allies to ban Huawei, the world's largest telecommunications equipment manufacturer. Country-wide Huawei bans are extremely good economic news for US tech giants and exporters like Cisco, Google, and Apple, who have been rapidly losing their global market share to cheaper Huawei products in recent years.

To counter the US economic threat to their business foothold within the UK, Huawei is offering a huge carrot in the form of investing billions into UK based research centres, and a big stick in threatening to walk away from the UK market altogether. The has led to the UK government leadership becoming at odds with the MOD, the latter desire to stand shoulder-to-shoulder with the US and other NATO allies, in banning Huawei devices. This tension exploded with a very public spat between Prime Minister Theresa May and the Secretary of Defence, Gavin Williamson last month. The PM continued to defy the MOD's security warnings and Gavin Williamson was fired for allegedly leaking classified documents about the Huawei UK national security threat, an accusation which he vehemently denies.

Why the UK Gov is stuck between a Rock and Hard Place
The UK government continue to be stuck between a rock and a hard place, playing a balancing act of trying to keep both the United States and China happy, in a bid to score lucrative post-Brexit multi-billion-pound trade deals. This status-quo leaves UK Huawei smartphone consumers and UK businesses using Huawei network devices, caught in the middle. However, due to the relentless US pressure causing regular negative mainstream media headlines about the security of Huawei products, the Chinese tech giant may well be driven out of UK markets without a UK government ban.

Tata Communications and Cisco to enable enterprises a multi-cloud native hybrid network transformation

The leading global digital infrastructure provider Tata Communications and Cisco have extended their partnership to enable enterprises to transform their legacy network to a customised and secure multi-cloud native hybrid network. The combination of Tata Communications’ IZO cloud enablement platform and Cisco SD-WAN is a fully-managed, global solution that gives businesses greater control over their digital infrastructure, the ability to securely connect any user to any application location, and provide the assurance of application performance … More

The post Tata Communications and Cisco to enable enterprises a multi-cloud native hybrid network transformation appeared first on Help Net Security.

Cisco addressed a critical flaw in networks management tool Prime Infrastructure

Cisco had issued security updates to address 57 security flaw, including three flaws in networks management tool Prime Infrastructure.

One of the flaws addressed by Cisco in the Prime Infrastructure management tool could be exploited by an unauthenticated attacker to execute arbitrary code with root privileges on PI devices.

“Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network (EPN) Manager could allow a remote attacker to gain the ability to execute arbitrary code with elevated privileges on the underlying operating system.” reads the advisory published by Cisco.

“One of these issues, CVE-2019-1821, can be exploited by an unauthenticated attacker that has network access to the affected administrative interface.”

The remaining two issues, tracked as CVE-2019-1822 and CVE-2019-1823, could be exploited by an attacker that has valid credentials to authenticate to the impacted administrative interface.

The flaws affect Cisco Prime Infrastructure Software releases prior to 3.4.1, 3.5, and 3.6, and EPN Manager Releases prior to 3.0.1.

The vulnerabilities were discovered by Steven Seeley of Source Incite.

“These vulnerabilities exist because the software improperly validates user-supplied input,” continues the advisory. “An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system.”

Cisco PSIRT experts are aware of any attacks exploiting the flaws in the wild.

Cisco Prime Infrastructure

A few days ago, Cisco fixed the Thrangrycat, a vulnerability tracked as CVE-2019-1649 that affects multiple Cisco products supporting the Trust Anchor module (TAm). The issue could be exploited by an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation.

Pierluigi Paganini

(SecurityAffairs – Cisco Prime infrastructure, hacking)

The post Cisco addressed a critical flaw in networks management tool Prime Infrastructure appeared first on Security Affairs.

Tata Communications and Cisco to offer enterprises a secure multi-cloud native hybrid network

The leading global digital infrastructure provider Tata Communications and Cisco have extended their partnership to enable enterprises to transform their legacy network to a customised and secure multi-cloud native hybrid network. The combination of Tata Communications’ IZO cloud enablement platform and Cisco SD-WAN is a fully-managed, global solution that gives businesses greater control over their digital infrastructure, the ability to securely connect any user to any application location, and provide the assurance of application performance … More

The post Tata Communications and Cisco to offer enterprises a secure multi-cloud native hybrid network appeared first on Help Net Security.

Cisco Service Provider, WebEx Bugs Offer Up Remote Code Execution

The vendor also issued a patch schedule for the still-unpatched bug in its Secure Boot trusted hardware environment, which affects most of its enterprise and SMB portfolio, amounting to millions of vulnerable devices.

Thrangrycat flaw could allow compromising millions of Cisco devices

Security firm Red Balloon discovered a severe vulnerability dubbed Thrangrycat, in Cisco products that could be exploited to an implant persistent backdoor in many devices.

Experts at Red Balloon Security disclosed two vulnerabilities in Cisco products. The first issue dubbed Thrangrycat, and tracked as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm).

could be exploited by an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second vulnerability, tracked as
CVE-2019-1862, is a remote command injection issue that affects Cisco IOS XE version 16 and that could allow remote attackers to execute code as root.

By chaining the flaws an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.

A vulnerability in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component.” reads the advisory published by Cisco. “This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality. “

The Trust Anchor module (TAm) is a hardware-based component the allows to check that Cisco hardware is authentic and also implements additional security services.

Cisco Secure Boot helps ensure that the code running on Cisco hardware platforms is authentic and unmodified, it is available in Cisco devices since 2013.

The researchers discovered that an attacker with root privileges can make a persistent modification to the Trust Anchor module via FPGA bitstream modification and load a malicious bootloader.

“An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory.” reads the analysis published by the experts.

“Elements of this bitstream can be modified to disable critical functionality in the TAm. Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.”

Thrangrycat flaw Cisco devices

Cisco classified the flaw as high severity, it received a CVSS Score Base 6.7 because the exploitation of the flaw requires root privileges. Anyway, Red Balloon pointed out that attackers could also exploit the Thrangrycat vulnerability remotely by chaining it together with other vulnerabilities that could allow them to gain root access or, at least, execute commands as root.

“An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA.” continues the advisory published by Cisco. “A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image. “

Summarizing, the attackers first exploit the RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS that allows a logged-in administrator to remotely execute arbitrary commands on the underlying Linux shell with root privileges.

Then, once gained root access, the attacker can remotely bypass Trust Anchor module (TAm) on a targeted device triggering the Thrangrycat vulnerability and install a malicious backdoor.

The flaws are very concerning because they reside in the hardware and cannot be addressed with a software patch.

“Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.” concludes the advisory published by Red Balloon.

The experts successfully tested the flaw against Cisco ASR 1001-X routers, but hundreds of millions of Cisco units featuring an FPGA-based TAm implementation are vulnerable.

Red Balloon experts reported the flaws to Cisco in November 2018 and publicly disclosed some details to the public after Cisco released firmware patches to address the vulnerabilities.

The good news is that Cisco in not aware of attacks in the wild exploiting the two vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – Thrangrycat, Cisco)

The post Thrangrycat flaw could allow compromising millions of Cisco devices appeared first on Security Affairs.

Cyber Security Roundup for February 2019

The perceived threat posed by Huawei to the UK national infrastructure continued to make the headlines throughout February, as politicians, UK government agencies and the Chinese telecoms giant continued to play out their rather public spat in the media. See my post Is Huawei a Threat to UK National Security? for further details. And also, why DDoS might be the greater threat to 5G than Huawei supplied network devices.

February was a rather quiet month for hacks and data breaches in the UK, Mumsnet reported a minor data breach following a botched upgrade, and that was about it. The month was a busy one for security updates, with Microsoft, Adobe and Cisco all releasing high numbers of patches to fix various security vulnerabilities, including several released outside of their scheduled monthly patch release cycles.

A survey by PCI Pal concluded the consequences of a data breach had a greater impact in the UK than the United States, in that UK customers were more likely to abandon a company when let down by a data breach. The business reputational impact should always be taken into consideration when risk assessing security.


Another survey of interest was conducted by Nominet, who polled 408 Chief Information Security Officers (CISOs) at midsize and large organisations in the UK and the United States. A whopping 91% of the respondents admitted to experiencing high to moderate levels of stress, with 26% saying the stress had led to mental and physical health issues, and 17% said they had turned to alcohol. The contributing factors for this stress were job security, inadequate budget and resources, and a lack of support from the board and senior management. A CISO role can certainly can be a poisoned-chalice, so its really no surprise most CISOs don't stay put for long.

A Netscout Threat Landscape Report declared in the second half of 2018, cyber attacks against IoT devices and DDoS attacks had both rose dramatically. Fuelled by the compromise of high numbers of IoT devices, the number of DDoS attacks in the 100GBps to 200GBps range increased 169%, while those in the 200GBps to 300GBps range exploded 2,500%. The report concluded cybercriminals had built and used cheaper, easier-to-deploy and more persistent malware, and cyber gangs had implemented this higher level of efficiency by adopting the same principles used by legitimate businesses. These improvements has helped malicious actors greatly increase the number of medium-size DDoS attacks while infiltrating IoT devices even quicker.

In a rare speech, Jeremy Fleming, the head of GCHQ warned the internet could deteriorate into "an even less governed space" if the international community doesn't come together to establish a common set of principles. He said "China, Iran, Russia and North Korea" had broken international law through cyber attacks, and made the case for when "offensive cyber activities" were good, saying "their use must always meet the three tests of legality, necessity and proportionality. Their use, in particular to cause disruption or damage - must be in extremis".  Clearly international law wasn't developed with cyber space in mind, so it looks like GCGQ are attempting to raise awareness to remedy that.

I will be speaking at the e-crime Cyber Security Congress in London on 6th March 2019, on cloud security, new business metrics, future risks and priorities for 2019 and beyond.

Finally, completely out of the blue, I was informed by 4D that this blog had been picked by a team of their technical engineers and Directors as one of the best Cyber Security Blogs in the UK. The 6 Best Cyber Security Blogs - A Data Centre's Perspective Truly humbled and in great company to be on that list.

BLOG
NEWS 
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS