Critical Vulnerabilities in Cisco Products
The vulnerability (CVE-2019-1649) is “in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality,” Cisco reported.
Additionally, Cisco reported that another vulnerability (CVE-2019-1862) in the “web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges.”
The vulnerability, called Thrangrycat, affects millions of Cisco devices (including routers, switches and firewalls) and exposes a large number of corporate and government networks to remote attacks, according to Red Balloon Security.
Cisco also noted in regard to the Secure Boot vulnerability that it will release software patches, but there are no workarounds to address the issue.
An attacker could exploit this to gain full and permanent access to those networks. It also can't be fixed with a software patch, so it will be difficult for affected organizations to fully mitigate the threats this poses, according to Red Balloon Security.
“This is a significant security weakness which potentially exposes a large number of corporate, government and even military networks to remote attacks,” said Dr. Ang Cui, founder and chief scientist of Red Balloon Security, in a press release.
“We're talking about tens of millions of devices potentially affected by this vulnerability, many of them located inside of sensitive networks. These Cisco products form the backbone of secure communications for these organizations, and yet we can exploit them to permanently own their networks. Fixing this problem isn't easy, because to truly remediate it requires a physical replacement of the chip at the heart of the Trust Anchor system. A firmware patch will help to offset the risks, but it won't completely eliminate them. This is the real danger, and it will be difficult for companies, financial institutions and government agencies to properly address this problem.”
Source: Information Security Magazine