Vendor Vulnerabilities Pressuring Enterprise IT NetOps
Stories are increasingly hitting the news and social media exposing network vendor vulnerabilities with potentially significant consequences to enterprise networks and critical data. The latest story coming out is from Red Balloon Security, a group known for exposing vulnerabilities in Cisco® products. It highlights how a security flaw can be exploited by two interoperating vulnerabilities.
The first is a vulnerability in the web-based user interface (CVE-2019-1862) of Cisco IOS XE software and could allow an authenticated, remote attacker to execute commands on the underlying Linux shell of an affected device with root privileges.
The second and more serious vulnerability is called “Thrangrycat” (CVE-2019-1649). It allows hackers to bypass Cisco’s Trust Anchor Module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The TAm is a proprietary hardware security module used in a wide range of Cisco products and the root of trust that underpins all of the security mechanisms in these devices.
Combining the two vulnerabilities together gives attackers the chance to control the router and persistently block updates to the TAm, potentially acting as a gateway to attack an entire network.
Cisco has classified both threats as high-impact vulnerabilities. The affected vendor is developing and will release software updates to fix Thrangrycat, and has already released patches for the HTTP/HTTPS security flaw. For Thrangrycat specifically there are no workarounds, and Cisco also said it is “not aware of malicious use” of either vulnerability.
Establishing a Course of Action with Gluware to Assess and Act
Gluware® Intelligent Network Automation is engineered to help Enterprise IT manage multi-vendor, multi-platform networks including combating the constant barrage of vulnerabilities.
There is a five-step process to follow using the Gluware platform to assess and protect in such cases:
- DISCOVER: Using Device Manager within Gluware Control, perform a discovery of the network to determine the real-time inventory including vendor, model, serial number, OS version and more. The security advisories will specify the affected products which can easily be searched for once in the Gluware Device Manager.
- ASSESS: Also using Device Manager, Perform a PSIRT assessment. This integrated capability leverages the Cisco Support API* calls to determine the PSIRTs issued on the devices in your inventory. Each of the PSIRTs is classified into High, Medium, and Low impact. Assess these advisories to determine the risk and exposure in your network. *Cisco® Support APIs require Cisco Partner Support Services (PSS) partners or Cisco Smart Net Total Care (SNTC) customer accounts for access.
- AUDIT: Use the Config Drift and Audit app to perform an audit of your network for the potential configuration statements that expose vulnerabilities. In the case of CVE-2019-1862, the config statements: ip http server or ip http secure-server . These commands indicate the HTTP server feature is enabled. A simple network-wide audit using Gluware can determine what devices are exposed.
- CONFIG: Use the Config Modeling app to reliably and scalably roll out the configuration change required to implement a workaround. In this case, ensuring those commands are removed from the global section of the configuration. If it is an option in your network, use Config Modeling to disable the HTTP/HTTPS processes and harden remote access (this keeps hackers from using CVE-2019-1862 in order to get around CVE-2019-1649)
- UPGRADE: Use the OS Upgrade app to update the Operating System and ROMMON if there is a fix provided from the vendor and your organization has tested and approved the newer version of OS for deployment in your network.
The Devil is in the Details with Vulnerabilities that Involve Updating Field-Programmable Hardware including the CPLD Remotely on Network Devices
Thrangrycat (CVE-2019-1649) is a vulnerability potentially affecting multiple Cisco products that support hardware-based Secure Boot functionality. The Field-programmable hardware devices include the complex programmable logic device (CPLD).
Cisco disclosed in their security advisory: “The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA. A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image.
Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.”
The security advisory provides a long list of products affected. While some images have become available with a fix, many will not release until June or after. If the fix requires an update to the FPGA or CPLD it may be difficult to facilitate remotely. Cisco states, “In most cases, the fix will require an on-premise reprogramming of a low-level hardware component that is required for normal device operation. A failure during this reprogramming process may cause the device to become unusable and require a hardware replacement.” This is likely due to the risk of performing the procedure remotely and the requirement of a power recycle as part of the procedure for many products.
Since this vulnerability affects products running ASA, NXOS, IOS, IOS-XE and more operating systems each has a unique process to implement a fix. For IOS and NXOS-based products, the OS includes the files related to the hardware, so a standard OS upgrade can address the problem. For the newer series of products, like the ASR9K and ISR4K running IOS-XE, there is a separate process to update the FPGA/CPLD code. Performing this remotely is discouraged by the vendor since a failure could result in requiring an RMA. Also, this type of upgrade requires a power recycle for which not all products support a “cold boot” remotely and it would need to be physically powered off/on. The ASA is even more unique since the CPLD cannot be updated over remote telnet or SSH connection, requiring it to be performed out-of-band using the console port. The only way to automate this remotely would be to leverage a device like the products from Opengear that provides remote console access.
The Gluware® OS Upgrade app can facilitate a reliable remote upgrade of the OS and ROMMON today which covers all the IOS and NXOS-based products. We are currently testing the remote upgrade of the FPGA/CPLD and will release support based on customer requirements for the platforms mentioned. Gluware is also working on support for remote automation through the console port leveraging Opengear products. The Cisco fix for this vulnerability for some platforms is available now with many coming in June or after, so stay tuned for updates around how it can be deployed.
Conclusion
At this point, take the first steps to inventory your network, perform the PSIRT assessment, audit for the commands and automate the removal of the HTTP/HTTPS processes to harden remote access preventing exposure to the Thrangrycat vulnerability. Check the security advisory page for the “Fixed Release Availablity” to start testing and plan a deployment when the fix for Thrangrycat for your affected platforms becomes available.
For more information or a demonstration of Intelligent Network Automation with Gluware® Control, contact: sales@gluware.com.