Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

5/15/2019
10:50 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Cisco All at Sea Over Trust Anchor Module Vulnerability

Researchers have found ways to bypass the entire process of secure booting that the hardware was designed to support.

Cisco has issued a high-level security advisoryabout a “Secure Boot Hardware Tampering Vulnerability.” This advisory affects almost all Cisco products since 2013 that support the Trust Anchor module (TAm).

Researchers have found ways to bypass the entire process of secure booting that the hardware was designed to support.

The researchers, Red Balloon Security, made a disclosure along with Cisco on the same subject.

They disclosed that "an attacker [could] fully bypass Cisco's Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation." Of course, the attacker must have root to be able to do such manipulation.

They found a way to get that, too. They also found a second vulnerability that is a remote command injection vulnerability against Cisco IOS XE version 16 and will allow remote code execution as root.

Well, you chain one to the other and there you have bypass of TAm. Along with that, Red Balloon says that an "attacker can remotely and persistently bypass Cisco's secure boot mechanism and lock out all future software updates to the TAm."

But the problem's root may not be due to the software code. The researchers are fairly straightforward as to where they put the blame for the problem.

While everyone is waiting for Cisco to patch, they say the cause of the vulnerability "is fundamentally a hardware design flaw, we believe it will be very difficult, if not impossible to fully resolve this vulnerability via a software patch."

They continued that, "While the flaws are based in hardware, [the vulnerability] can be exploited remotely without any need for physical access. Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability."

So, the researchers don't think software mitigation in any form will be effective to resolve this.

There are a huge amount of vulnerable devices, since the TAm was used extensively by Cisco in enterprise routers, switches and firewalls. The length of the affected list on the advisory was eye-popping. Cisco acknowledges in their advisory that there are no workarounds available at this time.

Yet even the researchers know this problem has not been used in the wild. "We are unaware of any use of this exploit in the wild, but the potential danger is severe," they say.

Just how practical an attack that utilizes manipulation of the FPGA as an attack vector remains to be seen. There will be much more information about that aspect going forward. But if the attack works, it works big.

Cisco's efforts to mitigate can't be ignored as well, even if they are not as successful as might be hoped. Cisco will be highly motivated here, to be sure.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26246
PUBLISHED: 2020-12-03
Pimcore is an open source digital experience platform. In Pimcore before version 6.8.5 it is possible to modify & create website settings without having the appropriate permissions.
CVE-2020-29279
PUBLISHED: 2020-12-02
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
CVE-2020-29280
PUBLISHED: 2020-12-02
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
CVE-2020-29282
PUBLISHED: 2020-12-02
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
CVE-2020-29283
PUBLISHED: 2020-12-02
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.