720-891-1663
Return to the list of client alerts
A company named Red Balloon Security (no, I don’t make up these names) has discovered a flaw in Cisco’s so-called secure boot process used in routers, switches and firewalls installed by government agencies and enterprises.
Of course, every cool vulnerability needs a cool name, cool icon and cool website. This one does. It is called ThrangryCat.
Kind of like what we have seen over the last year with Intel, AMD and ARM, as vendors try and get clever with the hardware, sometimes the hardware gets the best of them. Such is the case here.
Cisco’s secure store is called the Trust Anchor module (TAm). It underpins the root of trust of many Cisco products.
But ThrangryCat allows a hacker to make modifications to the software in these devices in a way that persists across reboots.
ThrangryCat requires an authenticated user and preferably an admin user to do its damage, which means that, in theory, this is not a big problem, except that at the same time the researchers announced ThrangryCat (which they have been working on fixing with Cisco for a year), they announced a vulnerability that would allow an unauthenticated user, remotely anywhere in the world, to become an admin. Tie that to this first bug and that means an unauthenticated user, anywhere in the world, can modify the Cisco software in a malicious way. That persists.
Remember, also, that for the most part, if you do not have a current Cisco support contract, you cannot get patches. In this case, if you CALL Cisco and give them enough information to convince them that you are legit, they will give you this one patch. Also remember that if you buy a used Cisco device, the software in it does not transfer to you. You must PURCHASE a new copy of the software. All of this together is why I generally do not recommend people buy Cisco.
But assuming that you do have one, you need to patch it because these guys even released proof of concept exploit code.
So I went to Cisco’s bug list site (the last link below) to look for info on the patch.
BOY, was I surprised.
For today alone, May 15th, there are 47 patches. The patches for the bugs in this alert were posted on the 13th and are on page 3.
In fairness to Cisco, they make a lot of stuff and somethings they have to make versions of the same bug fix for different devices separately. In any case, that page is probably a good one to bookmark.
OH! One last item. You must be on site to deploy the fix. Cisco does not explain why other than saying that you are reprogramming an FPLA (a piece of hardware). My guess is that you have to interact with the programming either for technical reasons or for security reasons, so don’t think you are going to do this from your home in front of the TV. SO SORRY!
But, given this is now big news and free code is available to exploit it, if you don’t patch it, maybe the hackers will do that for you in their OWN way.
And, yes, I know I am beating up John Chambers. It is fun. But other vendors have been in similar boats (other than making it too hard for you to obtain the patches), so I guess we can cut them some slack.
Information for this alert came from HelpNetSecurity, ZDNet and Cisco.