Thrangrycat
Presentation Slides
This research was presented at Black Hat 2019 and DEF CON 27. The presentation, titled “100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans", is available here.
Tool Released
Following Black Hat 2019 and DEF CON 27, we released open-source tools which are available on Github.
First, we developed a Binary Abstraction Layer (BAL) package which is a tiny framework for analyzing and manipulating binary data.
Second, we developed a BAL Xilinx package, an implementation of the BAL framework for Xilinx FPGA. This BAL Xilinx package supports:
(i) packing and unpacking of most of the bitstream; (ii) target device and encryption detection; and (iii) pin modification (force the pin high and low).
Lastly, we developed the BAL Visualizer which is a tool used to visualize binary data.
The visualization file is generated by the BAL framework, and the visualization application runs entirely in a browser and no data is uploaded to the network.
BAL Package: https://github.com/ballon-rouge/bal
BAL Xilinx Package: https://github.com/RedBalloonShenanigans/bal-xilinx
BAL Visualizer: https://github.com/ballon-rouge/bal-visualizer
Awards
We are excited to announce that 😾😾😾 has won the 2019 Pwnie Award for the Most Under-Hyped Research!
Vulnerability Disclosure
Red Balloon Security, Inc. is disclosing two vulnerabilities affecting the products of Cisco Systems, Inc. (“Cisco”). The first, known as 😾😾😾, allows an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second is a remote command injection vulnerability against Cisco IOS XE version 16 that allows remote code execution as root. By chaining the 😾😾😾 and remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.
Summary
😾😾😾 is caused by a series of hardware design flaws within Cisco’s Trust Anchor module. First commercially introduced in 2013, Cisco Trust Anchor module (TAm) is a proprietary hardware security module used in a wide range of Cisco products, including enterprise routers, switches and firewalls. TAm is the root of trust that underpins all other Cisco security and trustworthy computing mechanisms in these devices. 😾😾😾 allows an attacker to make persistent modification to the Trust Anchor module via FPGA bitstream modification, thereby defeating the secure boot process and invalidating Cisco’s chain of trust at its root. While the flaws are based in hardware, 😾😾😾 can be exploited remotely without any need for physical access. Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.
Q & A
What is Cisco’s Trust Anchor?
Cisco Secure Boot is a secure startup process that ensures the integrity of the firmware running on Cisco hardware devices. To perform this validation each time the device resets, Cisco developed a separate, special-purpose hardware device, known as the Trust Anchor module (TAm), as a root of trust for the secure boot process. After system power-on, the TAm runs the first instructions, which immediately verify the integrity of the bootloader. Should any failure be detected, the device alerts the user and reboots the device, thus preventing the device from executing the modified bootloader.
How is Cisco’s Trust Anchor implemented?
At the design level, the hardware anchor is implemented using an external FPGA. After initial power-on, the FPGA loads an unencrypted bitstream implementing the hardware Trust Anchor to provide root of trust functionality from a dedicated Serial Peripheral Interface (SPI) flash chip. Once the bitstream is loaded, the FPGA performs integrity verification of the pre-boot environment, before the microloader is delivered to the main processor. The FPGA anchor is connected to the main processor via its south bridge and controls the reset pin of the processor. If the FPGA anchor detects any integrity violations in the pre-boot environment, the anchor halts and reboots the system.
What is the vulnerability in Cisco’s Trust Anchor?
An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory. Elements of this bitstream can be modified to disable critical functionality in the TAm. Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.
On what device(s) did you demonstrate the vulnerability?
The vulnerability was demonstrated on a Cisco ASR 1001-X router.
How widespread is this?
This vulnerability affects Cisco products with an FPGA based TAm. Cisco released the following list of more than 100 product families with this vulnerability.
| Product | Cisco Bug ID | Fixed Release Availability |
|---|---|---|
| Network and Content Security Devices | ||
| Cisco ASA 5506-X with FirePOWER Services | CSCvn77246 | Firmware Release 1.1.15 (image name: asa5500-firmware-1115.SPA) (Available) |
| Cisco ASA 5506H-X with FirePOWER Services | CSCvn77246 | Firmware Release 1.1.15 (image name: asa5500-firmware-1115.SPA) (Available) |
| Cisco ASA 5506W-X with FirePOWER Services | CSCvn77246 | Firmware Release 1.1.15 (image name: asa5500-firmware-1115.SPA) (Available) |
| Cisco ASA 5508-X with FirePOWER Services | CSCvn77246 | Firmware Release 1.1.15 (image name: asa5500-firmware-1115.SPA) (Available) |
| Cisco ASA 5516-X with FirePOWER Services | CSCvn77246 | Firmware Release 1.1.15 (image name: asa5500-firmware-1115.SPA) (Available) |
| Cisco Firepower 2100 Series | CSCvn77248 | Cisco Firepower Threat Defense 6.2.2.5 (Available) Cisco Firepower Threat Defense 6.2.2.12 (Available) Cisco Firepower Threat Defense 6.3.0.3 (Available) Cisco Firepower Threat Defense 6.4.0.1 (Available) |
| Cisco Firepower 4000 Series | CSCvn77249 | Firmware bundle package v1.0.18 with ROMMON rev 1.0.15 and FPGA rev 2.0: (Image Names: fxos-k9-fpr4k-firmware.1.0.18.SPA and fxos-k9-fpr9k-firmware.1.0.18.SPA) (Available) |
| Cisco Firepower 9000 Series | CSCvn77249 | Firmware bundle package v1.0.18 with ROMMON rev 1.0.15 and FPGA rev 2.0: (Image Names: fxos-k9-fpr4k-firmware.1.0.18.SPA and fxos-k9-fpr9k-firmware.1.0.18.SPA) (Available) |
| Routing and Switching - Enterprise and Service Provider | ||
| 10Gbps Optical Encryption Line Card for the Cisco NCS 2000 Series and Cisco ONS 15454 MSTP (15454-M-WSE-K9) | CSCvn77191 | 11.1 (Jul 2019) |
| CBR-8 Converged Broadband Router | CSCvn77185 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco 1-Port Gigabit Ethernet WAN Network Interface Module (NIM-1GE-CU-SFP) | CSCvn77218 | Cisco IOS XE Software Release 16.3.9 (Jul 2019) Cisco IOS XE Software Release 16.6.7 (Oct 2019) Cisco IOS XE Software Release 16.9.4 (Aug 2019) Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco 1120 Connected Grid Router | CSCvn89140 | Cisco IOS Software Release 15.9(3)M (Aug 2019) Cisco IOS Software Release 15.8(3)M3 (Aug 2019) Cisco IOS Software Release 15.7(3)M5 (Sep 2019) Cisco IOS Software Release 15.6(3)M7 (Sep 2019) |
| Cisco 1240 Connected Grid Router | CSCvn89137 | Cisco IOS Software Release 15.9(3)M (Aug 2019) Cisco IOS Software Release 15.8(3)M3 (Aug 2019) Cisco IOS Software Release 15.7(3)M5 (Sep 2019) Cisco IOS Software Release 15.6(3)M7 (Sep 2019) |
| Cisco 2-Port Gigabit Ethernet WAN Network Interface Module (NIM-2GE-CU-SFP) | CSCvn77218 | Cisco IOS XE Software Release 16.3.9 (Jul 2019) Cisco IOS XE Software Release 16.6.7 (Oct 2019) Cisco IOS XE Software Release 16.9.4 (Aug 2019) Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco 3000 Series Industrial Security Appliances | CSCvn89146 | Firmware release 1.0.05 (image name: isa3000-firmware-1005.SPA) (Available) |
| Cisco 4000 Series Integrated Services Router Packet 1024-Channel High-Density Voice DSP Module (SM-X-PVDM-1000) | CSCvn77212 | Cisco IOS XE Software Release 16.3.9 (Jul 2019) Cisco IOS XE Software Release 16.6.7 (Oct 2019) Cisco IOS XE Software Release 16.9.4 (Aug 2019) Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco 4000 Series Integrated Services Router Packet 2048-Channel High-Density Voice DSP Module (SM-X-PVDM-2000) | CSCvn77212 | Cisco IOS XE Software Release 16.3.9 (Jul 2019) Cisco IOS XE Software Release 16.6.7 (Oct 2019) Cisco IOS XE Software Release 16.9.4 (Aug 2019) Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco 4000 Series Integrated Services Router Packet 3080-Channel High-Density Voice DSP Module (SM-X-PVDM-3000) | CSCvn77212 | Cisco IOS XE Software Release 16.3.9 (Jul 2019) Cisco IOS XE Software Release 16.6.7 (Oct 2019) Cisco IOS XE Software Release 16.9.4 (Aug 2019) Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco 4000 Series Integrated Services Router Packet 768-Channel High-Density Voice DSP Module (SM-X-PVDM-500) | CSCvn77212 | Cisco IOS XE Software Release 16.3.9 (Jul 2019) Cisco IOS XE Software Release 16.6.7 (Oct 2019) Cisco IOS XE Software Release 16.9.4 (Aug 2019) Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco 4221 Integrated Services Router | CSCvn77153 | Utility File Name: isr4200_cpld_update_v1.1_SPA.bin (Jun 2019) |
| Cisco 4321 Integrated Services Router | CSCvn77156 | Utility File Name: isr4300_cpld_update_v1.1_SPA.bin (Jun 2019) |
| Cisco 4331 Integrated Services Router | CSCvn77156 | Utility File Name: isr4300_cpld_update_v1.1_SPA.bin (Jun 2019) |
| Cisco 4351 Integrated Services Router | CSCvn77156 | Utility File Name: isr4300_cpld_update_v1.1_SPA.bin (Jun 2019) |
| Cisco 4431 Integrated Services Router | CSCvn77155 | Utility File Name: isr4400_cpld_update_v1.1_SPA.bin (Jun 2019) |
| Cisco 4451-X Integrated Services Router | CSCvn77155 | Utility File Name: isr4400_cpld_update_v1.1_SPA.bin (Jun 2019) |
| Cisco 4461 Integrated Services Router | CSCvn77154 | Utility File Name: isr4400_cpld_update_v1.1_SPA.bin (Jun 2019) |
| Cisco 5000 Series Enterprise Network Compute System | CSCvn77150 | Release no. TBD (Jul 2019) |
| Cisco 809 Industrial Integrated Services Routers | CSCvn89138 | Cisco IOS Software Release 15.8(3)M2a (May 2019) Cisco IOS Software Release 15.7(3)M4b (May 2019) Cisco IOS Software Release 15.6(3)M6b (May 2019) |
| Cisco 829 Industrial Integrated Services Routers | CSCvn89143 | Cisco IOS Software Release 15.8(3)M2a (May 2019) Cisco IOS Software Release 15.7(3)M4b (May 2019) Cisco IOS Software Release 15.6(3)M6b (May 2019) |
| Cisco ASR 1000 Embedded Services Processor, 200G (ASR1000-ESP200) | CSCvn77159 | Release no. TBD (Jun 2019) |
| Cisco ASR 1000 Fixed Ethernet Line Card (6x10GE) (ASR1000-6TGE) | CSCvn89144 | Release no. TBD (Jun 2019) |
| Cisco ASR 1000 Fixed Ethernet Line Card, 2x10GE + 20x1GE (ASR1000-2T+20X1GE) | CSCvn89144 | Release no. TBD (Jun 2019) |
| Cisco ASR 1000 Series 100-Gbps Embedded Services Processor (ASR 1000-ESP100) | CSCvn77160 | Release no. TBD (Jun 2019) |
| Cisco ASR 1000 Series Modular Interface Processor (ASR1000-MIP100) | CSCvn77158 | Release no. TBD (Jun 2019) |
| Cisco ASR 1000 Series Route Processor 3 (Cisco ASR1000-RP3) | CSCvn77167 | Release no. TBD (Jun 2019) |
| Cisco ASR 1001-HX Router | CSCvn77162 | ASR1K-fpga_prog.16.0.0.xe.bin (Available) |
| Cisco ASR 1001-X | CSCvn89145 | ASR1K-fpga_prog.16.0.0.xe.bin (Available) |
| Cisco ASR 1002-HX Router | CSCvn77166 | ASR1K-fpga_prog.16.0.0.xe.bin (Available) |
| Cisco ASR 900 Series Route Switch Processor 2 - 128G, Base Scale (A900-RSP2A-128) | CSCvn77168 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 900 Series Route Switch Processor 2 - 64G, Base Scale (A900-RSP2A-64) | CSCvn77168 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 900 Series Route Switch Processor 3 - 200G, Large Scale (A900-RSP3C-200) | CSCvn77169 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 900 Series Route Switch Processor and Controller 400G (A900-RSP3C-400/W) | CSCvn77169 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 9000 Series 16-Port 100 Gigabit Ethernet Line Card (A99-16X100GE-X-SE) | CSCvn77180 | Cisco IOS XR Software Release 7.0.1 (Jul 2019) |
| Cisco ASR 9000 Series 16-Port 100 Gigabit Ethernet Line Card (A9K-16X100GE-TR, A9K-16X100GE-CM) | CSCvn77180 | Cisco IOS XR Software Release 7.0.1 (Jul 2019) |
| Cisco ASR 9000 Series 32-Port 100 Gigabit Ethernet Line Card (A99-32X100GE-TR, A99-32X100GE-CM) | CSCvn77180 | Cisco IOS XR Software Release 7.0.1 (Jul 2019) |
| Cisco ASR 9000 Series Route Switch Processor 5 for Packet Transport (A9K-RSP5-TR) | CSCvn77175 | Cisco IOS XR Software Release 7.0.1 (Jul 2019) |
| Cisco ASR 9000 Series Route Switch Processor 5 for Service Edge (A9K-RSP5-SE) | CSCvn77175 | Cisco IOS XR Software Release 7.0.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers 10GE and 2-10GE - Passively Cooled DC model (ASR-920-10SZ-PD), Cisco ASR920 Series - 20GE SFP, 4Cu and 4-10GE: Modular PSU (ASR-920-20SZ-M) | CSCvn77171 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers 12 x 1/10GE SFP, AC Model (ASR-920-12SZ-A) | CSCvn77171 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers 12 x 1/10GE SFP, DC Model (ASR-920-12SZ-D) | CSCvn77171 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers 12GE and 2-10GE - AC model (ASR-920-12CZ-A) | CSCvn77171 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers 12GE and 2-10GE - DC model (ASR-920-12CZ-D) | CSCvn77171 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers 24GE Copper and 4-10GE – Modular PSU (ASR-920-24TZ-IM) | CSCvn77172 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers 24GE Copper and 4-10GE – Modular PSU (ASR-920-24TZ-M) | CSCvn77172 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers 24GE Fiber and 4-10GE – Modular PSU (ASR-920-24SZ-M) | CSCvn77172 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers 2GE and 4-10GE - AC model (ASR-920-4SZ-A) | CSCvn77171 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers 2GE and 4-10GE - DC model (ASR-920-4SZ-D) | CSCvn77171 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 920 Series Aggregation Services Routers Conformal Coated - 12GE and 4-10GE, 1 IM Slot (ASR-920-12SZ-IM-CC), Cisco ASR920 Series - 12GE and 4-10GE, 1 IM slot (ASR-920-12SZ-IM) | CSCvn77170 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco ASR 9900 Route Processor 3 for Packet Transport (A99-RP3-TR) | CSCvn77175 | Cisco IOS XR Software Release 7.0.1 (Jul 2019) |
| Cisco ASR 9900 Route Processor 3 for Service Edge (A99-RP3-SE) | CSCvn77175 | Cisco IOS XR Software Release 7.0.1 (Jul 2019) |
| Cisco Catalyst 6800 16-port 10GE with Integrated DFC4-XL (C6800-16P10G-XL) | CSCvn77182 | Cisco IOS XE Software Release 15.5(1)SY4 (Sep 2019) |
| Cisco Catalyst 6800 32-port 10GE with Dual Integrated Dual DFC4-XL (C6800-32P10G-XL) | CSCvn77182 | Cisco IOS XE Software Release 15.5(1)SY4 (Sep 2019) |
| Cisco Catalyst 6800 8-port 10GE with Integrated DFC4-XL (C6800-8P10G-XL) | CSCvn77182 | Cisco IOS XE Software Release 15.5(1)SY4 (Sep 2019) |
| Cisco Catalyst 6800 8-port 40GE with Dual Integrated Dual DFC4-EXL (C6800-8P40G-XL) | CSCvn77182 | Cisco IOS XE Software Release 15.5(1)SY4 (Sep 2019) |
| Cisco Catalyst 6800 Series Supervisor Engine 6T XL | CSCvn77181 | Cisco IOS XE Software Release 15.5(1)SY4 (Sep 2019) |
| Cisco Catalyst 6816-X-Chassis (Standard Tables) (C6816-X-LE) | CSCvn77183 | Cisco IOS Software Release 15.5(1)SY4 (Sep 2019) |
| Cisco Catalyst 6824-X-Chassis and 2 x 40G (Standard Tables) (C6824-X-LE-40G) | CSCvn77183 | Cisco IOS Software Release 15.5(1)SY4 (Sep 2019) |
| Cisco Catalyst 6832-X-Chassis (Standard Tables) (C6832-X-LE) | CSCvn77183 | Cisco IOS Software Release 15.5(1)SY4 (Sep 2019) |
| Cisco Catalyst 6840-X-Chassis and 2 x 40G (Standard Tables) (C6840-X-LE-40G) | CSCvn77183 | Cisco IOS Software Release 15.5(1)SY4 (Sep 2019) |
| Cisco Catalyst 9300 Series Switches | CSCvn77209 | Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available) |
| Cisco Catalyst 9500 Series High-Performance Switch with 24x 1/10/25G Gigabit Ethernet + 4x 40/100G Uplink (C9500-24Y4C) | CSCvn89150 | Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available) |
| Cisco Catalyst 9500 Series High-Performance Switch with 32x 100 Gigabit Ethernet (C9500-32C) | CSCvn89150 | Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available) |
| Cisco Catalyst 9500 Series High-Performance Switch with 32x 40 Gigabit Ethernet (C9500-32QC) | CSCvn89150 | Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available) |
| Cisco Catalyst 9500 Series High-Performance Switch with 48x 1/10/25G Gigabit Ethernet + 4x 40/100G Uplink (C9500-48Y4C) | CSCvn89150 | Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available) |
| Cisco Catalyst 9500 Series Switch with 12x 40G Gigabit Ethernet (C9500-12Q) | CSCvn77220 | Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available) |
| Cisco Catalyst 9500 Series Switch with 16x 1/10G Gigabit Ethernet (C9500-16X) | CSCvn77220 | Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available) |
| Cisco Catalyst 9500 Series Switch with 24x 40G Gigabit Ethernet (C9500-24Q) | CSCvn77220 | Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available) |
| Cisco Catalyst 9500 Series Switch with 40x 1/10G Gigabit Ethernet (C9500-40X) | CSCvn77220 | Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available) |
| Cisco Catalyst 9600 Supervisor Engine-1 | CSCvn95346 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco Catalyst 9800-40 Wireless Controller | CSCvn77165 | C9800-40_fpga_prog.16.0.0.xe.bin (Available) |
| Cisco Catalyst 9800-80 Wireless Controller | CSCvn77163 | C9800-80_fpga_prog.16.0.0.xe.bin (Available) |
| Cisco IC3000 Industrial Compute Gateway | CSCvp42792 | Firmware Release 1.0.2 (image name IC3000-K9-1.0.3.SPA) (Jul 2019) |
| Cisco MDS 9000 Family 24/10 SAN Extension Module (DS-X9334-K9) | CSCvn77141 | Cisco NX-OS Software Release 8.4.1 (June 2019) |
| Cisco NCS 200 Series 10/40/100G MR Muxponder (NCS2K-MR-MXP-K9) | CSCvn77191 | 11.1 (Jul 2019) |
| Cisco NCS 5500 12X10, 2X40 2XMPA Line Card Base (NC55-MOD-A-S) | CSCvn77202 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS 5500 Series 24 Ports of 100GE and 12 Ports of 40GE High-Scale Line Card (NC55-24H12F-SE) | CSCvn77202 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS 5500 Series 36 ports of 100GE High-Scale Line Card (NC55-36X100G-A-SE) | CSCvn77202 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS 5504 Fabric Card (NC55-5504-FC) | CSCvn77202 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS 5516 Fabric Card (NC55-5516-FC) | CSCvn77202 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Chassis (NCS-55A2-MOD-S) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Chassis, Temperature Hardened (NCS-55A2-MOD-HD-S) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Chassis, Temperature Hardened with Conformal Coating (NCS-55A2-MOD-HX-S) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Scale Chassis (NCS-55A2-MOD-SE-S) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Scale Chassis, Temperature Hardened with Conformal Coating (NCS-55A2-MOD-SE-H-S) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS5501 - 40x10G and 4x100G Scale Chassis (NCS-5501-SE) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS5501 Fixed 48x10G and 6x100G Chassis (NCS-5501) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS5502 - 48x100G Scale Chassis (NCS-5502-SE) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS5502 Fixed 48x100G Chassis (NCS-5502) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS55A1 Fixed 24x100G Chassis (NCS-55A1-24H) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS55A1 Fixed 36x100G Base Chassis (NCS-55A1-36H-S) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco NCS55A1 Fixed 36x100G Scale Chassis (NCS-55A1-36H-SE) | CSCvn77201 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco Network Convergence System 1002 | CSCvn77219 | Cisco IOS XR Software Release 7.0.1 (Jul 2019) |
| Cisco Network Convergence System 5001 | CSCvn77207 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco Network Convergence System 5002 | CSCvn77205 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco Network Convergence System 5500 Series: 1.2-Tbps IPoDWDM Modular Line Card (NC55-6X200-DWDM-S) | CSCvn77202 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco Network Convergence System 5500 Series: 36X100G MACsec Modular Line Cards (NC55-36X100G-S) | CSCvn77202 | Cisco IOS XR Software Release 7.1.1 (Nov 2019) |
| Cisco Nexus 31108PC-V, 48 SFP+ and 6 QSFP28 ports (N3K-C31108PC-V) | CSCvn77245 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Cisco Nexus 31108TC-V, 48 10Gbase-T RJ-45 and 6 QSFP28 ports (N3K-C31108TC-V) | CSCvn77245 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Cisco Nexus 3132C-Z Switches (N3K-C3132C-Z) | CSCvn77245 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Cisco Nexus 3264C-E Switches (N3K-C3264C-E) | CSCvn77245 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Cisco Nexus 7000 M3-Series 48-Port 1/10G Ethernet Module (N7K-M348XP-25L) | CSCvn77141 | Cisco NX-OS Software Release 8.4.1 (June 2019) |
| Cisco Nexus 7700 M3-Series 12-Port 100G Ethernet Module (N77-M312CQ-26L) | CSCvn77141 | Cisco NX-OS Software Release 8.4.1 (June 2019) |
| Cisco Nexus 7700 M3-Series 24-Port 40G Ethernet Module (N7K-M324FQ-25L) | CSCvn77141 | Cisco NX-OS Software Release 8.4.1 (June 2019) |
| Cisco Nexus 7700 M3-Series 48-Port 1/10G Ethernet Module (N77-M348XP-23L) | CSCvn77141 | Cisco NX-OS Software Release 8.4.1 (June 2019) |
| Cisco Nexus 7700 Supervisor 3 (N77-SUP3E) | CSCvn77141 | Cisco NX-OS Software Release 8.4.1 (June 2019) |
| Cisco Nexus 9332C ACI Spine Switch with 32p 40/100G QSFP28, 2p 1/10G SFP (N9K-C9332C) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Cisco Nexus 9364C ACI Spine Switch with 64p 40/100G QSFP28, 2p 1/10G SFP (N9K-C9364C) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Cisco Nexus 9500 4-Core/4-Thread Supervisor (N9K-SUP-A) | CSCvn77142 | |
| Cisco Nexus 9500 6-Core/12-Thread Supervisor (N9K-SUP-B) | CSCvn77142 | |
| Cisco Packet-over-T3/E3 Service Module (SM-X-1T3/E3) | CSCvn77147 | Release no. TBD (Oct 2019) |
| Cisco cBR-8 Integrated CCAP 40G Remote PHY Line Card (CBR-CCAP-LC-40G-R) | CSCvn77184 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| Cisco cBR-8 Integrated CCAP Line Card includes 2 DS D3.1 Modules as well as 1 US D3.1 Module (CBR-LC-8D31-16U31) | CSCvn77184 | Cisco IOS XE Software Release 16.12.1 (Jul 2019) |
| MDS 9700 48-Port 32-Gbps Fibre Channel Switching Module (DS-X9648-1536K9) | CSCvn77141 | Cisco NX-OS Software Release 8.4.1 (June 2019) |
| Nexus 9200 with 36p 40G 100G QSFP28 (N9K-C9236C) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9200 with 48p 1/10G/25G SFP+ and 6p 40G QSFP or 4p 100G QSFP28 (N9K-C92160YC-X) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9200 with 48p 10/25 Gbps and 18p 100G QSFP28 (N9K-C92300YC) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9200 with 48p 100M/1GT, 4p 10/25G & 2p 40/100G QSFP28 (N9K-C92348GC) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9200 with 56p 40G QSFP+ and 8p 100G QSFP28 (N9K-C92304QC) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9200 with 72p 40G QSFP+ (N9K-C9272Q) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9300 with 48p 1/10G/25G SFP and 6p 40G/100G QSFP28, MACsec, and Unified Ports Capable (N9K-C93180YC-FX) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9300 with 48p 100M/1G BASE-T, 4p 10/25G SFP28 and 2p 40G/100G QSFP28 (N9K-C9348GC-FXP) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9300 with 48p 10G BASE-T and 6p 40G/100G QSFP28, MACsec Capable (N9K-C93108TC-FX) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9K Fixed with 32p 100G QSFP28 (N9K-C9232C) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9K Fixed with 48p 1/10G/25G SFP and 12p 40G/100G QSFP28 (N9K-C93240YC-FX2) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9K Fixed with 48p 1/10G/25G SFP and 6p 40G/100G QSFP28 (N9K-C93180YC-EX) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9K Fixed with 48p 10G BASE-T and 6p 40G/100G QSFP28 (N9K-C93108TC-EX) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Nexus 9K Fixed with up to 32p 40/50G QSFP+ or up to 18p 100G QSFP28 (N9K-C93180LC-EX) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
| Supervisor A+ for Nexus 9500 (N9K-SUP-A+) | CSCvn77142 | |
| Supervisor B+ for Nexus 9500 (N9K-SUP-B+) | CSCvn77142 | |
| Voice and Unified Communications Devices | ||
| Analog Voice Network Interface Modules for Cisco 4000 Series ISRs (NIM-2FXO, NIM-4FXO, NIM-2FXS, NIM-4FXS, NIM-2FXS/4FXO, NIM-2FXSP, NIM-4FXSP, NIM-2FXS/4FXOP, NIM-4E/M, NIM-2BRI-NT/TE, NIM-4BRI-NT/TE) | CSCvn77151 | Release no. TBD (Sep 2019) |
| Cisco 4000 Series Integrated Services Router T1/E1 Voice and WAN Network Interface Modules (NIM-1MFT-T1/E1, NIM-2MFT-T1/E1, NIM-4MFT-T1/E1, NIM-8MFT-T1/E1, NIM-1CE1T1-PRI, NIM-2CE1T1-PRI, NIM-8CE1T1-PRI) | CSCvn77152 | Release no. TBD (Sep 2019) |
Are there available tools to detect if someone has used this exploit against me?
There is no such tool available at the moment. We will present our detection and mitigation technique in a talk at BlackHat USA 2019.
Can IDS/IPS detect or block this attack?
No
Does this vulnerability apply only to Cisco’s products?
Yes, this vulnerability is specific to Cisco’s proprietary FPGA-based hardware Trust Anchor implementations.
What are the implications of demonstrating modification of the FPGA bitstream?
Our findings support the practical exploitation of FPGA-based devices via direct bitstream analysis and modification. Through our research we developed a series of techniques to reliably add, subtract, and alter FPGA behavior without any need to perform register-transfer level (RTL) reconstruction. By demonstrating successful FPGA modification on the Xilinx Spartan 6 LX45T, we find that our bitstream manipulation techniques present a range of potential applications for persistent FPGA implants, physical destruction of embedded systems, and attacks against FPGA-based systems, such as software-defined radios, advanced automotive driver assist modules, weapon guidance systems, and more.
Have these vulnerabilities been exploited in the wild?
We are unaware of any use of this exploit in the wild, but the potential danger is severe.
Who discovered these vulnerabilities?
The Cisco Trust Anchor vulnerability was discovered by Jatin Kataria, Richard Housley, and Ang Cui of Red Balloon Security, Inc. The remote command injection vulnerability against Cisco IOS XE 16 was discovered by James Chambers, also of Red Balloon Security.
Who coordinates a response to these vulnerabilities?
Following our discovery of these two vulnerabilities, we reported them to the Cisco Product Security Incident Response Team (PSIRT) on November 8, 2018. We have worked with PSIRT since then to coordinate the public disclosure.
What action can be taken?
Please consult Cisco’s official security advisory. We did not receive early access to Cisco’s security patch, and will be analyzing the patches as they are made publicly available. Since 😾😾😾 is fundamentally a hardware design flaw, we believe it will be very difficult, if not impossible to fully resolve this vulnerability via a software patch.
How do you describe the meaning of this vulnerability name?
We chose to communicate 😾😾😾 through a visual representation of symbols, rather than “words.” Naming vulnerabilities using emoji sequences instead of other pronounceable natural languages have several advantages. First, emoji sequences are universally understood across nearly all natural languages. Choosing 😾😾😾 instead of a name rooted in any one language ensures that the technical contents of our research can be discussed democratically and without latent cultural or linguistic bias. Second, emojis are indexical to the digital age. Third, clear communication is the foundation of friendship, and such a foundation must begin with proper ontological agreement. Just as the universal language of mathematics is largely expressed through interlinguistic symbology, so too is 😾😾😾. Fourth, cats are seen as almost paradoxical beings. While they exist in our lives as the ultimate creatures of leisure, cats are also fierce predators. “Cats are the most highly specialized of the terrestrial flesh-eating mammals. They are powerfully built, with a large brain and strong teeth. The teeth are adapted to three functions: stabbing (canines), anchoring (canines), and cutting (carnassial molars).” (Lariviere, Serge; Stains, Howard James. “Feline.” Encyclopedia Britannica. Feline). For an incomplete list of felines in various mythologies, see this webpage.
How do you pronounce this vulnerability name?
There is no phonetic transcription for this specific sequence of repeated emojis, and the pronunciation is open to interpretation. We suggest “Thrangrycat” as a suitable enunciation.
Are you hiring?
Yes.
References
- Cisco PSIRT-0968652476
CVE ID: CVE-2019-1649
Vendor: Cisco Systems, Inc.
Product Type: IOS XE
Version: All 16.x, including 16.03(latest IOS XE) - Cisco PSIRT-0513862549
CVE ID: CVE-2019-1862
Vendor: Cisco Systems, Inc.
Product Type: IOS XE
Version: 16.03
Company Description
Founded in 2011, Red Balloon Security is a leading cyber security provider and research firm that specializes in the protection of all embedded devices regardless of industry. The New York City-based company secures embedded systems with a suite of host-based firmware security solutions that continuously monitor critical elements of firmware and report indications of attempted intrusions during runtime.
