thrangrycat

Thrangrycat

Presentation Slides

This research was presented at Black Hat 2019 and DEF CON 27. The presentation, titled “100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans", is available here.

Tool Released

Following Black Hat 2019 and DEF CON 27, we released open-source tools which are available on Github. First, we developed a Binary Abstraction Layer (BAL) package which is a tiny framework for analyzing and manipulating binary data. Second, we developed a BAL Xilinx package, an implementation of the BAL framework for Xilinx FPGA. This BAL Xilinx package supports: (i) packing and unpacking of most of the bitstream; (ii) target device and encryption detection; and (iii) pin modification (force the pin high and low). Lastly, we developed the BAL Visualizer which is a tool used to visualize binary data. The visualization file is generated by the BAL framework, and the visualization application runs entirely in a browser and no data is uploaded to the network.

BAL Package: https://github.com/ballon-rouge/bal
BAL Xilinx Package: https://github.com/RedBalloonShenanigans/bal-xilinx
BAL Visualizer: https://github.com/ballon-rouge/bal-visualizer

Awards

We are excited to announce that 😾😾😾 has won the 2019 Pwnie Award for the Most Under-Hyped Research!

Vulnerability Disclosure

Red Balloon Security, Inc. is disclosing two vulnerabilities affecting the products of Cisco Systems, Inc. (“Cisco”). The first, known as 😾😾😾, allows an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second is a remote command injection vulnerability against Cisco IOS XE version 16 that allows remote code execution as root. By chaining the 😾😾😾 and remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.

Summary

😾😾😾 is caused by a series of hardware design flaws within Cisco’s Trust Anchor module. First commercially introduced in 2013, Cisco Trust Anchor module (TAm) is a proprietary hardware security module used in a wide range of Cisco products, including enterprise routers, switches and firewalls. TAm is the root of trust that underpins all other Cisco security and trustworthy computing mechanisms in these devices. 😾😾😾 allows an attacker to make persistent modification to the Trust Anchor module via FPGA bitstream modification, thereby defeating the secure boot process and invalidating Cisco’s chain of trust at its root. While the flaws are based in hardware, 😾😾😾 can be exploited remotely without any need for physical access. Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.


Q & A

What is Cisco’s Trust Anchor?

Cisco Secure Boot is a secure startup process that ensures the integrity of the firmware running on Cisco hardware devices. To perform this validation each time the device resets, Cisco developed a separate, special-purpose hardware device, known as the Trust Anchor module (TAm), as a root of trust for the secure boot process. After system power-on, the TAm runs the first instructions, which immediately verify the integrity of the bootloader. Should any failure be detected, the device alerts the user and reboots the device, thus preventing the device from executing the modified bootloader.

How is Cisco’s Trust Anchor implemented?

At the design level, the hardware anchor is implemented using an external FPGA. After initial power-on, the FPGA loads an unencrypted bitstream implementing the hardware Trust Anchor to provide root of trust functionality from a dedicated Serial Peripheral Interface (SPI) flash chip. Once the bitstream is loaded, the FPGA performs integrity verification of the pre-boot environment, before the microloader is delivered to the main processor. The FPGA anchor is connected to the main processor via its south bridge and controls the reset pin of the processor. If the FPGA anchor detects any integrity violations in the pre-boot environment, the anchor halts and reboots the system.

What is the vulnerability in Cisco’s Trust Anchor?

An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory. Elements of this bitstream can be modified to disable critical functionality in the TAm. Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.

On what device(s) did you demonstrate the vulnerability?

The vulnerability was demonstrated on a Cisco ASR 1001-X router.

How widespread is this?

This vulnerability affects Cisco products with an FPGA based TAm. Cisco released the following list of more than 100 product families with this vulnerability.

Product Cisco Bug ID Fixed Release Availability
Network and Content Security Devices
Cisco ASA 5506-X with FirePOWER Services CSCvn77246 Firmware Release 1.1.15 (image name: asa5500-firmware-1115.SPA) (Available)
Cisco ASA 5506H-X with FirePOWER Services CSCvn77246 Firmware Release 1.1.15 (image name: asa5500-firmware-1115.SPA) (Available)
Cisco ASA 5506W-X with FirePOWER Services CSCvn77246 Firmware Release 1.1.15 (image name: asa5500-firmware-1115.SPA) (Available)
Cisco ASA 5508-X with FirePOWER Services CSCvn77246 Firmware Release 1.1.15 (image name: asa5500-firmware-1115.SPA) (Available)
Cisco ASA 5516-X with FirePOWER Services CSCvn77246 Firmware Release 1.1.15 (image name: asa5500-firmware-1115.SPA) (Available)
Cisco Firepower 2100 Series CSCvn77248 Cisco Firepower Threat Defense 6.2.2.5 (Available)
Cisco Firepower Threat Defense 6.2.2.12 (Available)
Cisco Firepower Threat Defense 6.3.0.3 (Available)
Cisco Firepower Threat Defense 6.4.0.1 (Available)
Cisco Firepower 4000 Series CSCvn77249 Firmware bundle package v1.0.18 with ROMMON rev 1.0.15 and FPGA rev 2.0: (Image Names: fxos-k9-fpr4k-firmware.1.0.18.SPA and fxos-k9-fpr9k-firmware.1.0.18.SPA) (Available)
Cisco Firepower 9000 Series CSCvn77249 Firmware bundle package v1.0.18 with ROMMON rev 1.0.15 and FPGA rev 2.0: (Image Names: fxos-k9-fpr4k-firmware.1.0.18.SPA and fxos-k9-fpr9k-firmware.1.0.18.SPA) (Available)
Routing and Switching - Enterprise and Service Provider
10Gbps Optical Encryption Line Card for the Cisco NCS 2000 Series and Cisco ONS 15454 MSTP (15454-M-WSE-K9) CSCvn77191 11.1 (Jul 2019)
CBR-8 Converged Broadband Router CSCvn77185 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco 1-Port Gigabit Ethernet WAN Network Interface Module (NIM-1GE-CU-SFP) CSCvn77218 Cisco IOS XE Software Release 16.3.9 (Jul 2019)
Cisco IOS XE Software Release 16.6.7 (Oct 2019)
Cisco IOS XE Software Release 16.9.4 (Aug 2019)
Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco 1120 Connected Grid Router CSCvn89140 Cisco IOS Software Release 15.9(3)M (Aug 2019)
Cisco IOS Software Release 15.8(3)M3 (Aug 2019)
Cisco IOS Software Release 15.7(3)M5 (Sep 2019)
Cisco IOS Software Release 15.6(3)M7 (Sep 2019)
Cisco 1240 Connected Grid Router CSCvn89137 Cisco IOS Software Release 15.9(3)M (Aug 2019)
Cisco IOS Software Release 15.8(3)M3 (Aug 2019)
Cisco IOS Software Release 15.7(3)M5 (Sep 2019)
Cisco IOS Software Release 15.6(3)M7 (Sep 2019)
Cisco 2-Port Gigabit Ethernet WAN Network Interface Module (NIM-2GE-CU-SFP) CSCvn77218 Cisco IOS XE Software Release 16.3.9 (Jul 2019)
Cisco IOS XE Software Release 16.6.7 (Oct 2019)
Cisco IOS XE Software Release 16.9.4 (Aug 2019)
Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco 3000 Series Industrial Security Appliances CSCvn89146 Firmware release 1.0.05 (image name: isa3000-firmware-1005.SPA) (Available)
Cisco 4000 Series Integrated Services Router Packet 1024-Channel High-Density Voice DSP Module (SM-X-PVDM-1000) CSCvn77212 Cisco IOS XE Software Release 16.3.9 (Jul 2019)
Cisco IOS XE Software Release 16.6.7 (Oct 2019)
Cisco IOS XE Software Release 16.9.4 (Aug 2019)
Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco 4000 Series Integrated Services Router Packet 2048-Channel High-Density Voice DSP Module (SM-X-PVDM-2000) CSCvn77212 Cisco IOS XE Software Release 16.3.9 (Jul 2019)
Cisco IOS XE Software Release 16.6.7 (Oct 2019)
Cisco IOS XE Software Release 16.9.4 (Aug 2019)
Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco 4000 Series Integrated Services Router Packet 3080-Channel High-Density Voice DSP Module (SM-X-PVDM-3000) CSCvn77212 Cisco IOS XE Software Release 16.3.9 (Jul 2019)
Cisco IOS XE Software Release 16.6.7 (Oct 2019)
Cisco IOS XE Software Release 16.9.4 (Aug 2019)
Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco 4000 Series Integrated Services Router Packet 768-Channel High-Density Voice DSP Module (SM-X-PVDM-500) CSCvn77212 Cisco IOS XE Software Release 16.3.9 (Jul 2019)
Cisco IOS XE Software Release 16.6.7 (Oct 2019)
Cisco IOS XE Software Release 16.9.4 (Aug 2019)
Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco 4221 Integrated Services Router CSCvn77153 Utility File Name: isr4200_cpld_update_v1.1_SPA.bin (Jun 2019)
Cisco 4321 Integrated Services Router CSCvn77156 Utility File Name: isr4300_cpld_update_v1.1_SPA.bin (Jun 2019)
Cisco 4331 Integrated Services Router CSCvn77156 Utility File Name: isr4300_cpld_update_v1.1_SPA.bin (Jun 2019)
Cisco 4351 Integrated Services Router CSCvn77156 Utility File Name: isr4300_cpld_update_v1.1_SPA.bin (Jun 2019)
Cisco 4431 Integrated Services Router CSCvn77155 Utility File Name: isr4400_cpld_update_v1.1_SPA.bin (Jun 2019)
Cisco 4451-X Integrated Services Router CSCvn77155 Utility File Name: isr4400_cpld_update_v1.1_SPA.bin (Jun 2019)
Cisco 4461 Integrated Services Router CSCvn77154 Utility File Name: isr4400_cpld_update_v1.1_SPA.bin (Jun 2019)
Cisco 5000 Series Enterprise Network Compute System CSCvn77150 Release no. TBD (Jul 2019)
Cisco 809 Industrial Integrated Services Routers CSCvn89138 Cisco IOS Software Release 15.8(3)M2a (May 2019)
Cisco IOS Software Release 15.7(3)M4b (May 2019)
Cisco IOS Software Release 15.6(3)M6b (May 2019)
Cisco 829 Industrial Integrated Services Routers CSCvn89143 Cisco IOS Software Release 15.8(3)M2a (May 2019)
Cisco IOS Software Release 15.7(3)M4b (May 2019)
Cisco IOS Software Release 15.6(3)M6b (May 2019)
Cisco ASR 1000 Embedded Services Processor, 200G (ASR1000-ESP200) CSCvn77159 Release no. TBD (Jun 2019)
Cisco ASR 1000 Fixed Ethernet Line Card (6x10GE) (ASR1000-6TGE) CSCvn89144 Release no. TBD (Jun 2019)
Cisco ASR 1000 Fixed Ethernet Line Card, 2x10GE + 20x1GE (ASR1000-2T+20X1GE) CSCvn89144 Release no. TBD (Jun 2019)
Cisco ASR 1000 Series 100-Gbps Embedded Services Processor (ASR 1000-ESP100) CSCvn77160 Release no. TBD (Jun 2019)
Cisco ASR 1000 Series Modular Interface Processor (ASR1000-MIP100) CSCvn77158 Release no. TBD (Jun 2019)
Cisco ASR 1000 Series Route Processor 3 (Cisco ASR1000-RP3) CSCvn77167 Release no. TBD (Jun 2019)
Cisco ASR 1001-HX Router CSCvn77162 ASR1K-fpga_prog.16.0.0.xe.bin (Available)
Cisco ASR 1001-X CSCvn89145 ASR1K-fpga_prog.16.0.0.xe.bin (Available)
Cisco ASR 1002-HX Router CSCvn77166 ASR1K-fpga_prog.16.0.0.xe.bin (Available)
Cisco ASR 900 Series Route Switch Processor 2 - 128G, Base Scale (A900-RSP2A-128) CSCvn77168 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 900 Series Route Switch Processor 2 - 64G, Base Scale (A900-RSP2A-64) CSCvn77168 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 900 Series Route Switch Processor 3 - 200G, Large Scale (A900-RSP3C-200) CSCvn77169 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 900 Series Route Switch Processor and Controller 400G (A900-RSP3C-400/W) CSCvn77169 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 9000 Series 16-Port 100 Gigabit Ethernet Line Card (A99-16X100GE-X-SE) CSCvn77180 Cisco IOS XR Software Release 7.0.1 (Jul 2019)
Cisco ASR 9000 Series 16-Port 100 Gigabit Ethernet Line Card (A9K-16X100GE-TR, A9K-16X100GE-CM) CSCvn77180 Cisco IOS XR Software Release 7.0.1 (Jul 2019)
Cisco ASR 9000 Series 32-Port 100 Gigabit Ethernet Line Card (A99-32X100GE-TR, A99-32X100GE-CM) CSCvn77180 Cisco IOS XR Software Release 7.0.1 (Jul 2019)
Cisco ASR 9000 Series Route Switch Processor 5 for Packet Transport (A9K-RSP5-TR) CSCvn77175 Cisco IOS XR Software Release 7.0.1 (Jul 2019)
Cisco ASR 9000 Series Route Switch Processor 5 for Service Edge (A9K-RSP5-SE) CSCvn77175 Cisco IOS XR Software Release 7.0.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers 10GE and 2-10GE - Passively Cooled DC model (ASR-920-10SZ-PD), Cisco ASR920 Series - 20GE SFP, 4Cu and 4-10GE: Modular PSU (ASR-920-20SZ-M) CSCvn77171 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers 12 x 1/10GE SFP, AC Model (ASR-920-12SZ-A) CSCvn77171 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers 12 x 1/10GE SFP, DC Model (ASR-920-12SZ-D) CSCvn77171 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers 12GE and 2-10GE - AC model (ASR-920-12CZ-A) CSCvn77171 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers 12GE and 2-10GE - DC model (ASR-920-12CZ-D) CSCvn77171 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers 24GE Copper and 4-10GE – Modular PSU (ASR-920-24TZ-IM) CSCvn77172 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers 24GE Copper and 4-10GE – Modular PSU (ASR-920-24TZ-M) CSCvn77172 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers 24GE Fiber and 4-10GE – Modular PSU (ASR-920-24SZ-M) CSCvn77172 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers 2GE and 4-10GE - AC model (ASR-920-4SZ-A) CSCvn77171 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers 2GE and 4-10GE - DC model (ASR-920-4SZ-D) CSCvn77171 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 920 Series Aggregation Services Routers Conformal Coated - 12GE and 4-10GE, 1 IM Slot (ASR-920-12SZ-IM-CC), Cisco ASR920 Series - 12GE and 4-10GE, 1 IM slot (ASR-920-12SZ-IM) CSCvn77170 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco ASR 9900 Route Processor 3 for Packet Transport (A99-RP3-TR) CSCvn77175 Cisco IOS XR Software Release 7.0.1 (Jul 2019)
Cisco ASR 9900 Route Processor 3 for Service Edge (A99-RP3-SE) CSCvn77175 Cisco IOS XR Software Release 7.0.1 (Jul 2019)
Cisco Catalyst 6800 16-port 10GE with Integrated DFC4-XL (C6800-16P10G-XL) CSCvn77182 Cisco IOS XE Software Release 15.5(1)SY4 (Sep 2019)
Cisco Catalyst 6800 32-port 10GE with Dual Integrated Dual DFC4-XL (C6800-32P10G-XL) CSCvn77182 Cisco IOS XE Software Release 15.5(1)SY4 (Sep 2019)
Cisco Catalyst 6800 8-port 10GE with Integrated DFC4-XL (C6800-8P10G-XL) CSCvn77182 Cisco IOS XE Software Release 15.5(1)SY4 (Sep 2019)
Cisco Catalyst 6800 8-port 40GE with Dual Integrated Dual DFC4-EXL (C6800-8P40G-XL) CSCvn77182 Cisco IOS XE Software Release 15.5(1)SY4 (Sep 2019)
Cisco Catalyst 6800 Series Supervisor Engine 6T XL CSCvn77181 Cisco IOS XE Software Release 15.5(1)SY4 (Sep 2019)
Cisco Catalyst 6816-X-Chassis (Standard Tables) (C6816-X-LE) CSCvn77183 Cisco IOS Software Release 15.5(1)SY4 (Sep 2019)
Cisco Catalyst 6824-X-Chassis and 2 x 40G (Standard Tables) (C6824-X-LE-40G) CSCvn77183 Cisco IOS Software Release 15.5(1)SY4 (Sep 2019)
Cisco Catalyst 6832-X-Chassis (Standard Tables) (C6832-X-LE) CSCvn77183 Cisco IOS Software Release 15.5(1)SY4 (Sep 2019)
Cisco Catalyst 6840-X-Chassis and 2 x 40G (Standard Tables) (C6840-X-LE-40G) CSCvn77183 Cisco IOS Software Release 15.5(1)SY4 (Sep 2019)
Cisco Catalyst 9300 Series Switches CSCvn77209 Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available)
Cisco Catalyst 9500 Series High-Performance Switch with 24x 1/10/25G Gigabit Ethernet + 4x 40/100G Uplink (C9500-24Y4C) CSCvn89150 Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available)
Cisco Catalyst 9500 Series High-Performance Switch with 32x 100 Gigabit Ethernet (C9500-32C) CSCvn89150 Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available)
Cisco Catalyst 9500 Series High-Performance Switch with 32x 40 Gigabit Ethernet (C9500-32QC) CSCvn89150 Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available)
Cisco Catalyst 9500 Series High-Performance Switch with 48x 1/10/25G Gigabit Ethernet + 4x 40/100G Uplink (C9500-48Y4C) CSCvn89150 Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available)
Cisco Catalyst 9500 Series Switch with 12x 40G Gigabit Ethernet (C9500-12Q) CSCvn77220 Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available)
Cisco Catalyst 9500 Series Switch with 16x 1/10G Gigabit Ethernet (C9500-16X) CSCvn77220 Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available)
Cisco Catalyst 9500 Series Switch with 24x 40G Gigabit Ethernet (C9500-24Q) CSCvn77220 Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available)
Cisco Catalyst 9500 Series Switch with 40x 1/10G Gigabit Ethernet (C9500-40X) CSCvn77220 Utility name: cat9k_iosxe.16.00.00fpgautility.SPA.bin (Available)
Cisco Catalyst 9600 Supervisor Engine-1 CSCvn95346 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco Catalyst 9800-40 Wireless Controller CSCvn77165 C9800-40_fpga_prog.16.0.0.xe.bin (Available)
Cisco Catalyst 9800-80 Wireless Controller CSCvn77163 C9800-80_fpga_prog.16.0.0.xe.bin (Available)
Cisco IC3000 Industrial Compute Gateway CSCvp42792 Firmware Release 1.0.2 (image name IC3000-K9-1.0.3.SPA) (Jul 2019)
Cisco MDS 9000 Family 24/10 SAN Extension Module (DS-X9334-K9) CSCvn77141 Cisco NX-OS Software Release 8.4.1 (June 2019)
Cisco NCS 200 Series 10/40/100G MR Muxponder (NCS2K-MR-MXP-K9) CSCvn77191 11.1 (Jul 2019)
Cisco NCS 5500 12X10, 2X40 2XMPA Line Card Base (NC55-MOD-A-S) CSCvn77202 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS 5500 Series 24 Ports of 100GE and 12 Ports of 40GE High-Scale Line Card (NC55-24H12F-SE) CSCvn77202 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS 5500 Series 36 ports of 100GE High-Scale Line Card (NC55-36X100G-A-SE) CSCvn77202 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS 5504 Fabric Card (NC55-5504-FC) CSCvn77202 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS 5516 Fabric Card (NC55-5516-FC) CSCvn77202 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Chassis (NCS-55A2-MOD-S) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Chassis, Temperature Hardened (NCS-55A2-MOD-HD-S) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Chassis, Temperature Hardened with Conformal Coating (NCS-55A2-MOD-HX-S) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Scale Chassis (NCS-55A2-MOD-SE-S) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Scale Chassis, Temperature Hardened with Conformal Coating (NCS-55A2-MOD-SE-H-S) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS5501 - 40x10G and 4x100G Scale Chassis (NCS-5501-SE) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS5501 Fixed 48x10G and 6x100G Chassis (NCS-5501) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS5502 - 48x100G Scale Chassis (NCS-5502-SE) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS5502 Fixed 48x100G Chassis (NCS-5502) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS55A1 Fixed 24x100G Chassis (NCS-55A1-24H) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS55A1 Fixed 36x100G Base Chassis (NCS-55A1-36H-S) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco NCS55A1 Fixed 36x100G Scale Chassis (NCS-55A1-36H-SE) CSCvn77201 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco Network Convergence System 1002 CSCvn77219 Cisco IOS XR Software Release 7.0.1 (Jul 2019)
Cisco Network Convergence System 5001 CSCvn77207 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco Network Convergence System 5002 CSCvn77205 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco Network Convergence System 5500 Series: 1.2-Tbps IPoDWDM Modular Line Card (NC55-6X200-DWDM-S) CSCvn77202 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco Network Convergence System 5500 Series: 36X100G MACsec Modular Line Cards (NC55-36X100G-S) CSCvn77202 Cisco IOS XR Software Release 7.1.1 (Nov 2019)
Cisco Nexus 31108PC-V, 48 SFP+ and 6 QSFP28 ports (N3K-C31108PC-V) CSCvn77245 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Cisco Nexus 31108TC-V, 48 10Gbase-T RJ-45 and 6 QSFP28 ports (N3K-C31108TC-V) CSCvn77245 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Cisco Nexus 3132C-Z Switches (N3K-C3132C-Z) CSCvn77245 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Cisco Nexus 3264C-E Switches (N3K-C3264C-E) CSCvn77245 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Cisco Nexus 7000 M3-Series 48-Port 1/10G Ethernet Module (N7K-M348XP-25L) CSCvn77141 Cisco NX-OS Software Release 8.4.1 (June 2019)
Cisco Nexus 7700 M3-Series 12-Port 100G Ethernet Module (N77-M312CQ-26L) CSCvn77141 Cisco NX-OS Software Release 8.4.1 (June 2019)
Cisco Nexus 7700 M3-Series 24-Port 40G Ethernet Module (N7K-M324FQ-25L) CSCvn77141 Cisco NX-OS Software Release 8.4.1 (June 2019)
Cisco Nexus 7700 M3-Series 48-Port 1/10G Ethernet Module (N77-M348XP-23L) CSCvn77141 Cisco NX-OS Software Release 8.4.1 (June 2019)
Cisco Nexus 7700 Supervisor 3 (N77-SUP3E) CSCvn77141 Cisco NX-OS Software Release 8.4.1 (June 2019)
Cisco Nexus 9332C ACI Spine Switch with 32p 40/100G QSFP28, 2p 1/10G SFP (N9K-C9332C) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Cisco Nexus 9364C ACI Spine Switch with 64p 40/100G QSFP28, 2p 1/10G SFP (N9K-C9364C) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Cisco Nexus 9500 4-Core/4-Thread Supervisor (N9K-SUP-A) CSCvn77142
Cisco Nexus 9500 6-Core/12-Thread Supervisor (N9K-SUP-B) CSCvn77142
Cisco Packet-over-T3/E3 Service Module (SM-X-1T3/E3) CSCvn77147 Release no. TBD (Oct 2019)
Cisco cBR-8 Integrated CCAP 40G Remote PHY Line Card (CBR-CCAP-LC-40G-R) CSCvn77184 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
Cisco cBR-8 Integrated CCAP Line Card includes 2 DS D3.1 Modules as well as 1 US D3.1 Module (CBR-LC-8D31-16U31) CSCvn77184 Cisco IOS XE Software Release 16.12.1 (Jul 2019)
MDS 9700 48-Port 32-Gbps Fibre Channel Switching Module (DS-X9648-1536K9) CSCvn77141 Cisco NX-OS Software Release 8.4.1 (June 2019)
Nexus 9200 with 36p 40G 100G QSFP28 (N9K-C9236C) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9200 with 48p 1/10G/25G SFP+ and 6p 40G QSFP or 4p 100G QSFP28 (N9K-C92160YC-X) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9200 with 48p 10/25 Gbps and 18p 100G QSFP28 (N9K-C92300YC) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9200 with 48p 100M/1GT, 4p 10/25G & 2p 40/100G QSFP28 (N9K-C92348GC) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9200 with 56p 40G QSFP+ and 8p 100G QSFP28 (N9K-C92304QC) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9200 with 72p 40G QSFP+ (N9K-C9272Q) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9300 with 48p 1/10G/25G SFP and 6p 40G/100G QSFP28, MACsec, and Unified Ports Capable (N9K-C93180YC-FX) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9300 with 48p 100M/1G BASE-T, 4p 10/25G SFP28 and 2p 40G/100G QSFP28 (N9K-C9348GC-FXP) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9300 with 48p 10G BASE-T and 6p 40G/100G QSFP28, MACsec Capable (N9K-C93108TC-FX) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9K Fixed with 32p 100G QSFP28 (N9K-C9232C) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9K Fixed with 48p 1/10G/25G SFP and 12p 40G/100G QSFP28 (N9K-C93240YC-FX2) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9K Fixed with 48p 1/10G/25G SFP and 6p 40G/100G QSFP28 (N9K-C93180YC-EX) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9K Fixed with 48p 10G BASE-T and 6p 40G/100G QSFP28 (N9K-C93108TC-EX) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Nexus 9K Fixed with up to 32p 40/50G QSFP+ or up to 18p 100G QSFP28 (N9K-C93180LC-EX) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)
Supervisor A+ for Nexus 9500 (N9K-SUP-A+) CSCvn77142
Supervisor B+ for Nexus 9500 (N9K-SUP-B+) CSCvn77142
Voice and Unified Communications Devices
Analog Voice Network Interface Modules for Cisco 4000 Series ISRs (NIM-2FXO, NIM-4FXO, NIM-2FXS, NIM-4FXS, NIM-2FXS/4FXO, NIM-2FXSP, NIM-4FXSP, NIM-2FXS/4FXOP, NIM-4E/M, NIM-2BRI-NT/TE, NIM-4BRI-NT/TE) CSCvn77151 Release no. TBD (Sep 2019)
Cisco 4000 Series Integrated Services Router T1/E1 Voice and WAN Network Interface Modules (NIM-1MFT-T1/E1, NIM-2MFT-T1/E1, NIM-4MFT-T1/E1, NIM-8MFT-T1/E1, NIM-1CE1T1-PRI, NIM-2CE1T1-PRI, NIM-8CE1T1-PRI) CSCvn77152 Release no. TBD (Sep 2019)

Are there available tools to detect if someone has used this exploit against me?

There is no such tool available at the moment. We will present our detection and mitigation technique in a talk at BlackHat USA 2019.

Can IDS/IPS detect or block this attack?

No

Does this vulnerability apply only to Cisco’s products?

Yes, this vulnerability is specific to Cisco’s proprietary FPGA-based hardware Trust Anchor implementations.

What are the implications of demonstrating modification of the FPGA bitstream?

Our findings support the practical exploitation of FPGA-based devices via direct bitstream analysis and modification. Through our research we developed a series of techniques to reliably add, subtract, and alter FPGA behavior without any need to perform register-transfer level (RTL) reconstruction. By demonstrating successful FPGA modification on the Xilinx Spartan 6 LX45T, we find that our bitstream manipulation techniques present a range of potential applications for persistent FPGA implants, physical destruction of embedded systems, and attacks against FPGA-based systems, such as software-defined radios, advanced automotive driver assist modules, weapon guidance systems, and more.

Have these vulnerabilities been exploited in the wild?

We are unaware of any use of this exploit in the wild, but the potential danger is severe.

Who discovered these vulnerabilities?

The Cisco Trust Anchor vulnerability was discovered by Jatin Kataria, Richard Housley, and Ang Cui of Red Balloon Security, Inc. The remote command injection vulnerability against Cisco IOS XE 16 was discovered by James Chambers, also of Red Balloon Security.

Who coordinates a response to these vulnerabilities?

Following our discovery of these two vulnerabilities, we reported them to the Cisco Product Security Incident Response Team (PSIRT) on November 8, 2018. We have worked with PSIRT since then to coordinate the public disclosure.

What action can be taken?

Please consult Cisco’s official security advisory. We did not receive early access to Cisco’s security patch, and will be analyzing the patches as they are made publicly available. Since 😾😾😾 is fundamentally a hardware design flaw, we believe it will be very difficult, if not impossible to fully resolve this vulnerability via a software patch.

How do you describe the meaning of this vulnerability name?

We chose to communicate 😾😾😾 through a visual representation of symbols, rather than “words.” Naming vulnerabilities using emoji sequences instead of other pronounceable natural languages have several advantages. First, emoji sequences are universally understood across nearly all natural languages. Choosing 😾😾😾 instead of a name rooted in any one language ensures that the technical contents of our research can be discussed democratically and without latent cultural or linguistic bias. Second, emojis are indexical to the digital age. Third, clear communication is the foundation of friendship, and such a foundation must begin with proper ontological agreement. Just as the universal language of mathematics is largely expressed through interlinguistic symbology, so too is 😾😾😾. Fourth, cats are seen as almost paradoxical beings. While they exist in our lives as the ultimate creatures of leisure, cats are also fierce predators. “Cats are the most highly specialized of the terrestrial flesh-eating mammals. They are powerfully built, with a large brain and strong teeth. The teeth are adapted to three functions: stabbing (canines), anchoring (canines), and cutting (carnassial molars).” (Lariviere, Serge; Stains, Howard James. “Feline.” Encyclopedia Britannica. Feline). For an incomplete list of felines in various mythologies, see this webpage.

How do you pronounce this vulnerability name?

There is no phonetic transcription for this specific sequence of repeated emojis, and the pronunciation is open to interpretation. We suggest “Thrangrycat” as a suitable enunciation.

Are you hiring?

Yes.


References

  • Cisco PSIRT-0968652476
    CVE ID: CVE-2019-1649
    Vendor: Cisco Systems, Inc.
    Product Type: IOS XE
    Version: All 16.x, including 16.03(latest IOS XE)
  • Cisco PSIRT-0513862549
    CVE ID: CVE-2019-1862
    Vendor: Cisco Systems, Inc.
    Product Type: IOS XE
    Version: 16.03

Company Description

Founded in 2011, Red Balloon Security is a leading cyber security provider and research firm that specializes in the protection of all embedded devices regardless of industry. The New York City-based company secures embedded systems with a suite of host-based firmware security solutions that continuously monitor critical elements of firmware and report indications of attempted intrusions during runtime.


logo