A new security flaw has been discovered that exists in almost all
Cisco networking products manufactured since 2013. The flaw, dubbed
Thrangrycat by some in the security community, could allow attackers to
implant a persistent backdoor on affected devices. The flaw allows an
unauthorized process to update the code in the Trusted Anchor module
(Cisco’s equivalent of the TPM) thereby disabling critical security
functionality, essentially bypassing the SecureBoot features of the
device and locking out future software updates to the TAm. This
flaw, CVE-2019-1649, is documented by Cisco here.
Cisco is attempting to downplay the severity of this vulnerability because it
is not remotely exploitable. However, security researchers have chained
this vulnerability with CVE-2019-1862 to remotely exploit the flaw using the IOS web interface.
The researchers have noted, "Since the flaws reside within the hardware
design, it is unlikely that any software security patch will fully
resolve the fundamental security vulnerability." Since it is unlikely
that Cisco will be able to adequately mitigate this vulnerability, it
becomes even more important that these devices be kept up-to-date with
other security patches, particularly the ones that allow remote code
execution. Edge devices will be particularly susceptible to exploitation
if not patched and could allow a persistent presence on your clients
network.
