back to article It's 2019 so now security vulnerabilities are branded using emojis: Meet Thrangrycat, a Cisco router secure boot flaw

Security weaknesses at the heart of some of Cisco's network routers, switches, and firewalls can be exploited by hackers to hide spyware deep inside compromised equipment. In order to exploit these flaws, dubbed 😾😾😾 or Thrangrycat by their discoverers, a miscreant or rogue employee needs to be able to log into the vulnerable …

  1. ciaran
    Devil

    Great backdoor for the NSA to exploit

    Snowden's data dump showed that the NSA likes intercepting shipments to some clients to install backdoors.

    I would say this flay perfectly fits their modus operandi. I'm not saying they encouraged cisco to set things up like this, but I'd be surprised if they hadn't already found this situation...

    1. Roland6 Silver badge

      Re: Great backdoor for the NSA to exploit

      Yes this 'flaw' does seem to fit very nicely with the previously disclosed Photos of an NSA “upgrade” factory show Cisco router getting implant

      Only issue is that the photo disclosure dates the activities as happening in 2010, according to Thrangrycat/Red Balloon their discovery exploits a feature introduced in 2013...

      However, the publication of Glenn Greenwald's book in 2014 and an associated trove of papers might not be unrelated...

  2. Roland6 Silver badge

    Cisco, for one, told us it "is not aware of any malicious use of the vulnerability."

    Has any one bothered to ask the NSO Group?

    1. Yorick

      Re: Cisco, for one, told us it "is not aware of any malicious use of the vulnerability."

      *tinfoil hat*

      If the vulnerability is used by a friendly 3-letter agency, it’s not “malicious use”, is it?

      1. Rich 11 Silver badge

        Re: Cisco, for one, told us it "is not aware of any malicious use of the vulnerability."

        Although I think we can safely assume that its use by a three-feline agency would be malicious.

  3. Yet Another Hierachial Anonynmous Coward

    Quick !

    Quick - hurry now. Remove all that Cisco gear from your network and replace it with something else that is secure.

    Let the government know - they can hold a national security meeting about it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Quick !

      No, no, they're not Chinese. They're American so you can trust them.

      Hold my coat while I laugh hysterically.

    2. a_yank_lurker Silver badge

      Re: Quick !

      Is this way Chinese gear is an abomination to 'Five Eyes'; its actually secure?

      1. Crazy Operations Guy Silver badge

        Re: Quick !

        That is what I've been thinking. If it was insecure, wouldn't they be throwing out piles and piles of CVEs and proof-of-concept exploits? Yet they seem to have left all their proof in their other pants or something.

        Dear America,

        CVEs or it didn't happen

        -Signed, everyone tired of your bullshit lies.

        Because at this point, given the sheer number of security bugs reports I keep seeing, it seems that Cisco is the insecure one...

    3. DougS Silver badge

      Care to tell us

      What that "something secure" might be? We'll wait.

    4. spold Bronze badge

      Re: Quick !

      It's just supports lawful intercept stuff... who might use this stuff it ships with anyway....??? ;-)

      https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/lawful/intercept/book/65LIch1.html

  4. LDS Silver badge
    Facepalm

    ?

    "Choosing <El reg doesn't support emojis in comments?> instead of a name rooted in any one language ensures that the technical contents of our research can be discussed democratically and without latent cultural or linguistic bias." (but against our feline overlords, IMHO)

    "There is no phonetic transcription for this specific sequence of repeated emojis"

    Let me know how I can discuss something that can't be pronounced in any language... some people still talk face to face, not only messaging each other....

    1. Yorick

      Re: ?

      Showing your age there with all this talk of flapping your flesh to produce sounds in order to communicate.

      1. LDS Silver badge
        Devil

        "flapping your flesh to produce sounds"

        It's called "multimedia" and "multitasking".... compared to the single-media single-task approach of those who are moving backwards along evolution lines....

        1. Alister Silver badge

          Re: "flapping your flesh to produce sounds"

          moving backwards along evolution lines...

          Opposable thumbs, that's what you need for holding a smartphone and texting. That's the evolutionary imperative, right there...

          1. LDS Silver badge
            Joke

            Re: "flapping your flesh to produce sounds"

            Nah, when a smartphone will be directly implanted "people" will no longer need an opposable thumb. Just thumbs, or tentacles...

    2. FatGerman

      Re: ?

      I refer to it as 'The vulnerability formerly known as Prince'

  5. Yorick

    Not just Web UI

    Privilege escalation may also be possible from CLI, depending on IOS XE version. See https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-xecmd

    Same basic attack vector - go in as admin via web or CLI, escalate privileges, plant yourself in the TAm.

    Kudos to your spot-on reporting, vultures. A quick web search shows a bunch of hastily written stories by other tech rags that are anywhere from plain wrong to misleading to incomplete, and that includes ZDNet, who warn that “an attacker located anywhere on the internet can take over devices.” A little too breathless. For some value of “attacker”, sure. The one with access to your internal network and authenticated admin access to your gear.

    1. Sir Runcible Spoon Silver badge

      Re: Not just Web UI

      Whilst the admin access requirement has already been noted, this makes this a lot worse by extending the window of opportunity.

      Someone who only has access to the devices for a short period of time can compromise them forever, not just the duration of their (legitimate) access.

      My world just got a lot more complicated. If this starts getting exploited I can see people switching to more secure Chinese kit :)

      1. Roland6 Silver badge

        Re: Not just Web UI

        >Someone who only has access to the devices for a short period of time can compromise them forever, not just the duration of their (legitimate) or illegitimate access.

        Remember Cisco, like most vendors ship product with well-known default admin credentials eg. admin/admin. Someone who only has access to the devices for a short period of time can compromise them forever, not just the duration of their (legitimate) access - perfect for spook delivery intercept access.

  6. dajames Silver badge

    Thrangrycat?

    ... and yet the emoji chosen to represent this exploit are U+1F63E POUTING CAT FACE, "intended to depict pouting rather than simply anger".

    Would Threepoutycat not be a better name?

    1. Pascal

      Re: Thrangrycat?

      Pouthreecat.

    2. Ian Emery Silver badge

      Re: Thrangrycat?

      It could be similar to Traditional Chinese script, where two symbols meaning "woman", placed next to each other mean "arguement".

      As others, I can only imagine the headline screams from the red tops if this had been Huawai.

  7. Anonymous Coward
    Anonymous Coward

    On word

    Oh dear.

    1. Sir Runcible Spoon Silver badge
      Joke

      To words

      My dearest

  8. Anonymous Coward
    Anonymous Coward

    I refuse to call it...

    What they name it.

    It's putty-fail.

  9. Big_Boomer

    Defects Everywhere

    Yup, Cisco have them, Huawei have them, in fact if someone ever produced a totally bug free piece of software, I'd be amazed. Yet for some reason when it's Huawei it's headlines and calls for the Chinese Satan to be boycotted, yet when it's Cisco it's swept under the carpet. Do Trump/Pompeo not realise just how completely transparent their pathetic attempts are? They are more likely to push us into the arms of the Chinese than the other way around.

    1. Brian Miller

      Re: Defects Everywhere

      Sure, there are defects everywhere. The NXP i.MX chips were shipping with a flaw that allowed a similar exploit. The i.MX chips have two modes for their secure firmware: signed or encrypted. The flaw for signed mode was giving it munged signing certificates, and then the checks would be aborted due to a stack overflow. The flaw for the encrypted mode was simply a malicious encrypted update of the same size. Otherwise, the modes worked just as intended...

      All that said, the i.MX chips have the right idea. Certificates are generated, and then a hash of the public keys are burned into PROM ("e-fuses"). The ROM checks the boot loader for its signature, and then allows it to execute. Once the trusted boot loader is running, it can check the Linux kernel for integrity, and then allow it to boot. After that, of course all bets are off.

    2. LDS Silver badge

      Re: Defects Everywhere

      From a US perspective it does make sense. They known the can control Cisco but not Huawei. From a Chinese perspective it's the other way round (although China can probably compromise more Cisco hardware made in China than US can compromise Huawei hardware made in the US).

      Everybody else should treat both of them as possible trojan horses.... Europe should bet on Nokia/Ericcson/Alcatel....

      1. Pascal Monett Silver badge

        There is Huawei hardware made in the US ? Now that's news.

  10. A random security guy

    There are many vulnerabilities that allow privileged access to Cisco routers

    Getting admin access: We see these vulnerabilities not just in Cisco but in other equipment too. So that is not a challenge.

    Essentially Cisco did the "CHEAP" and easy thing: store supposedly "trusted code" on SPI flash. That is a no-no from so many different perspectives that I can't believe that it wasn't flagged. Probably overridden by management because they believed "no one will be able to do it as it is so hard".

    This sort of mistake is so easy to overcome; I bet the basic patents have all expired if they want to save money. You can get a $1 ARM MCU that has TrustZone or an $1.50 ECC 608.

    1. Anonymous Coward
      Anonymous Coward

      Re: There are many vulnerabilities that allow privileged access to Cisco routers

      Probably overridden by management because don't ask why just do it this way and stop writing emails about it if you know what's good for you.

  11. JLV Silver badge
    Black Helicopters

    I wonder. In the human world, very sensitive activities need to be carried out by multiple people at once. For example, the nuclear launchers 2 key systems. Or multiple signatures on large bank withdrawals.

    Has there ever been any thought on using something like a 2nd auth on computer systems in cases of extreme sensitivity? Like, gee, modifying a trust module’s settings? Possibly even a physical jumper?

    I know, most likely unproductive and impractical. But just curious if any theoretical work’s been done.

    BTW I agree that the article makes it clear you’re already on a root-compromised system. But the ability to go dark, in such a system-supported way, from the initial breach is something extra problematic.

    1. Crazy Operations Guy Silver badge

      Or, the original method: No software-updatable firmware, your code is located on wide DIP-chips that fit into a socket. If you wanted to change the firmware, you had to crack the thing open. Maybe we should return to that model for security-sensitive components.

      Having to ship a physical piece of silicon and then convince someone to stick it in their equipment is a pretty big barrier to attackers and malware versus the current model f just a few bits across the wire. Sure, its expensive, but you know what is less expensive? Properly testing security-senstive shit before shipping it rather than relying on "We can just patch it later".

      1. Anonymous Coward
        Anonymous Coward

        Having to ship a physical piece of silicon and then convince someone to stick it in their equipment is a pretty big barrier to attackers and malware versus the current model

        It isn't the big barrier you believe it to be, trust me. In fact, I'd say it's probably easier to carry out than exploiting this vuln.

        Depressing, but proven true repeatedly.

        1. Crazy Operations Guy Silver badge

          First off, why should I trust an Anonymous Coward that has provided precisely zero citations for their claims?

          But secondly, pray tell, -how- is it easier? The vulnerability could be exploited by a simple bit of malware on a network admin's computer that waits for them to connect to the Cisco UI.

          Whereas I imagined that if there was a vulnerability in a security-sensitive chunk of code that the manufacturer would send out an announcement to affect customers and/or news sites. The affected customer would then enter their serial number onto a page to request the updated chip, when the chip is shipped, they get a tracking number. Exploiting this method would require somehow waylaying the shipment and replacing it without the shipping agency getting wise. The package itself could also contain a number of anti-tampering measures. They could even etch the serial number of the system the chip is intended for onto the chip (Which would require the malicious actor to already know the serial number). Most systems will also output the signature of the various add-in ROMs the BIOS hand execution off to, which can be done here. Maybe include something in the BIOS that if BIOS signatures change, it notifies the operator. So that post-install, a message pops up and gives a sha256 and crc checksums or something, which can be matched with data sent by manufacturer in an email or posted on their website.

          At the very least, requiring a physical item to be replaced would generate all sorts of change management procedures, downtime to be scheduled, etc,. Someone is going to notice a piece of equipment being taken down while no one is going to notice that some hidden bit of software has been modified.

  12. DougS Silver badge

    The lowest level code MUST be in ROM

    Putting it in something that can be reprogrammed is stupid. They should have a simple ROM that loads the "secure bootloader" code off flash, which has been encrypted with a private key that you keep secure and decrypted with a public key that's kept in the ROM. That way the secure bootloader code can be changed if necessary - but it should be done only to fix a bug or correct a security issue, "features" are for the full OS the bootloader loads. Better yet - have several public keys installed in the ROM, in case one of your private keys leaks and you have to stop using it for bootloader firmware updates.

    Use of an FPGA here is strange, is it because they already have other FPGA resources in the router and can devote a little corner to this? It isn't like a bootloader benefits from running in "hardware" (if you can call an FPGA that) versus a little ARM or RISCV core.

  13. Nick Kew Silver badge
    Coat

    Wicked speculation

    Could it be the amount of work they've had to devote to supporting US Government spying requirements that caused Cisco to fall behind an unencumbered Huawei?

    Mine's the one with the tinfoil lining.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019