search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Cisco Trust Anchor module (TAm) improperly checks code and Cisco IOS XE web UI does not sanitize user input

Vulnerability Note VU#400865

Original Release Date: 2019-05-14 | Last Revised: 2019-05-16

Overview

Cisco's Trust Anchor module (TAm) can be bypassed through manipulating the bitstream of the Field Programmable Gate Array (FPGA). This component handles access control to a hardware component within Cisco's Secure Boot implementations, which affects multiple products that support this functionality. An authenticated, local attacker could bypass the Secure Boot and make persistent changes to the root trust for software integrity. Additionally, Cisco's IOS XE web UI improperly sanitizes user-input, and could allow an authenticated, remote attack to execute commands. An authenticated, remote attacker could execute commands as root on the vulnerable device.

Description

CVE-2019-1649: Secure Boot Tampering, also known as Thrangrycat

The logic that handles Cisco's Secure Boot improperly checks an area of code that manages the Field Programmable Gate Array (FPGA). The secure boot feature is a proprietary FPGA based implementation used for ensuring chain of trust for software. The secure boot can be bypassed by modifying the bitstream of the FPGA, allowing an authenticated, local attacker to make persistent modification to the root of trust for software integrity.

CVE-2019-1862: IOS XE Web UI Command Injection
The web user interface of Cisco IOS XE improperly sanitizes user-supplied input. This could allow an authenticated, remote attacker to execute commands as root on the underlying Linux shell.

Impact

A local or remote attacker could write a new firmware image to the TAm. When exploited together, these vulnerabilities could allow a remote, authenticated attacker to remotely and persistently bypass Secure Boot and prevent future software updates to the TAm.

To exploit CVE-2019-1649, an attacker would need to have privileged administrative access to the device. This type of access could be achieved by exploiting the vulnerability described in CVE-2019-1862 or other potential remote command injection vulnerabilities.

Solution

CVE-2019-1649
Cisco is in the process of developing and releasing software fixes for all affected platforms. We recommend installing this update when it is available.

CVE-2019-1862
Apply the update from Cisco.

Workaround

CVE-2019-1649
Guidance from Cisco recommends that users refer to the Cisco Guide to Harden Cisco IOS Devices, as it provides information about how to harden the device and secure management access. Implementing the recommendations in this document would likely reduce the attack surface for this vulnerability.

Vendor Information

400865
 
Affected   Unknown   Unaffected

Cisco

Updated:  May 16, 2019

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco -sa-20190513-secureboot


CVSS Metrics

Group Score Vector
Base 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal 6.8 E:ND/RL:U/RC:C
Environmental 6.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Madison Oliver.

Other Information

CVE IDs: CVE-2019-1649, CVE-2019-1862
Date Public: 2019-05-13
Date First Published: 2019-05-14
Date Last Updated: 2019-05-16 17:12 UTC
Document Revision: 37

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.