Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Network Security

5/15/2019
10:50 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Cisco All at Sea Over Trust Anchor Module Vulnerability

Researchers have found ways to bypass the entire process of secure booting that the hardware was designed to support.

Cisco has issued a high-level security advisoryabout a “Secure Boot Hardware Tampering Vulnerability.” This advisory affects almost all Cisco products since 2013 that support the Trust Anchor module (TAm).

Researchers have found ways to bypass the entire process of secure booting that the hardware was designed to support.

The researchers, Red Balloon Security, made a disclosure along with Cisco on the same subject.

They disclosed that "an attacker [could] fully bypass Cisco's Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation." Of course, the attacker must have root to be able to do such manipulation.

They found a way to get that, too. They also found a second vulnerability that is a remote command injection vulnerability against Cisco IOS XE version 16 and will allow remote code execution as root.

Well, you chain one to the other and there you have bypass of TAm. Along with that, Red Balloon says that an "attacker can remotely and persistently bypass Cisco's secure boot mechanism and lock out all future software updates to the TAm."

But the problem's root may not be due to the software code. The researchers are fairly straightforward as to where they put the blame for the problem.

While everyone is waiting for Cisco to patch, they say the cause of the vulnerability "is fundamentally a hardware design flaw, we believe it will be very difficult, if not impossible to fully resolve this vulnerability via a software patch."

They continued that, "While the flaws are based in hardware, [the vulnerability] can be exploited remotely without any need for physical access. Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability."

So, the researchers don't think software mitigation in any form will be effective to resolve this.

There are a huge amount of vulnerable devices, since the TAm was used extensively by Cisco in enterprise routers, switches and firewalls. The length of the affected list on the advisory was eye-popping. Cisco acknowledges in their advisory that there are no workarounds available at this time.

Yet even the researchers know this problem has not been used in the wild. "We are unaware of any use of this exploit in the wild, but the potential danger is severe," they say.

Just how practical an attack that utilizes manipulation of the FPGA as an attack vector remains to be seen. There will be much more information about that aspect going forward. But if the attack works, it works big.

Cisco's efforts to mitigate can't be ignored as well, even if they are not as successful as might be hoped. Cisco will be highly motivated here, to be sure.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.