Flaw Affecting Millions of Cisco Devices Let Attackers Implant Persistent Backdoor

By: Mohit Kumar

Researchers have discovered a severe vulnerability in Cisco products that could allow attackers to implant persistent backdoor on wide range devices used in enterprises and government networks, including routers, switches, and firewalls.

Dubbed Thrangrycat or 😾😾😾, the vulnerability, discovered by researchers from the security firm Red Balloon and identified as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm).

Trust Anchor module (TAm) is a hardware-based Secure Boot functionality implemented in almost all of Cisco enterprise devices since 2013 that ensures the firmware running on hardware platforms is authentic and unmodified.

However, researchers found a series of hardware design flaws that could allow an authenticated attacker to make the persistent modification to the Trust Anchor module via FPGA bitstream modification and load the malicious bootloader.

“An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory. Elements of this bitstream can be modified to disable critical functionality in the TAm,” researchers said.


“Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.”


Chaining With Remote Bugs: No Physical Access Required

Since the vulnerability exploitation requires root privileges, an advisory released by Cisco stressed that only a local attacker with physical access to the targeted system could write a modified firmware image to the component.

However, Red Balloon researchers explained that attackers could also exploit the Thrangrycat vulnerability remotely by chaining it together with other flaws that could allow them to gain root access or, at least, execute commands as root.

To demonstrated this attack, researchers revealed an RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS operating system that allows a logged-in administrator to remotely execute arbitrary commands on the underlying Linux shell of an affected device with root privileges.

More: https://thehackernews.com/2019/05/cisco-secure-boot-bypass.html?m=1

Remote Execution Vulnerability in CISCO IP Phone 7800 Series and 8800 Series

By: Information Security Newspaper

A vulnerability in the web based management interface of the Session Initiation Protocol (SIP) Software on the Cisco IP Phone 7800 Series and the Cisco IP Phone 8800 Series could allow a non-authenticated remote attacker to generate a denial of service (DoS) condition or execute arbitrary code, mentioned experts from the best ethical hacking Institute, in conjunction with specialists from the International Institute of Cyber Security.

The vulnerability exists because the software poorly validates the input provided by the user during the authentication process. According to reports, a hacker could exploit this flaw by connecting to an affected device using HTTP and delivering malicious user keys.

If successful, the attacker could activate a reload on the affected device, thereby generating a denial-of-service condition, or could execute arbitrary code using the user privileges of the application, said the experts from the best ethical hacking Institute. The company has already released software updates to fix this vulnerability. Other risk mitigation methods are not known at the time of writing.

According to the experts from the best ethical hacking Institute, the vulnerability affects Cisco IP Phone 7800 Series and 8800 Series products, as these devices run the SIP software from earlier versions.


Vulnerability Found in Cisco Webex Meetings

By: Kacy Zurkus

A security researcher has discovered a vulnerability in an elevation of privilege in the update service of the Cisco Webex Meeting application. The update service fails to properly validate user-supplied parameters, according to SecureAuth.

The vulnerability was discovered by Marcos Accossatto from SecureAuth exploits’ writers team, and the release of today’s vulnerability advisory was a coordinated effort between SecureAuth and Cisco. Reportedly used by millions of people each month, the video conferencing product’s flaw (CVE-2018-15442) impacts code execution in Cisco Webex Meetings v33.6.2.16 and likely affects older versions as well, though they were not checked.

With a common weakness enumeration (CWE-78) classified as OS command injection, the vulnerability could allow an unprivileged local attacker to run arbitrary commands with system user privileges by invoking the update service command with a crafted argument, according to the advisory.

In the privilege escalation proof of concept (PoC), the researcher wrote: “The vulnerability can be exploited by copying to an a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 ‘attacker-controlled-path’ (if the parameter 1 doesn’t work, then 2 should be used).”

While the video conferencing provider had fixed this vulnerability last month, Accossatto was reportedly able to bypass that fix using DLL hijacking. Cisco’s Webex Meetings has now released a new patch and updated its previous security notice.

More: https://www.infosecurity-magazine.com/news/vulnerability

Crypto Flaw Affects Products From Cisco, Huawei, ZyXEL

By: Eduard Kovacs

A team of researchers has disclosed the details of a new attack method that can be used to crack encrypted communications. The products of several vendors, including Cisco, Huawei, ZyXEL and Clavister, are impacted.

The attack will be presented later this week at the 27th USENIX Security Symposium in Baltimore, Maryland, by researchers from the University of Opole in Poland and the Ruhr-University Bochum in Germany. The research paper has already been made public.

The experts have analyzed the impact of key reuse on Internet Protocol Security (IPsec), a protocol that authenticates and encrypts the data packets sent over a network. IPsec is often used for virtual private networks (VPNs).

The cryptographic key for IPsec uses the Internet Key Exchange (IKE) protocol, which has two versions, IKEv1 and IKEv2. Each version of IKE has different modes, configurations and authentication methods.

“[Reusing] a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers,” the researchers explained. “We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature based authentication in both IKEv1 and IKEv2. Additionally, we describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE.”

The attack has been found to work against Cisco (CVE-2018-0131), Huawei (CVE-2017-17305), ZyXEL (CVE-2018-9129) and Clavister (CVE-2018-8753) products.

Cisco, Huawei and ZyXEL published advisories for this vulnerability on Monday. Clavister, a provider of network security solutions, released patches for its Clavister cOS Core operating system in early May.

Cisco, which assigned the issue a severity rating of “medium,” described it as a vulnerability in the implementation of RSA-encrypted nonces in the company’s IOS and IOS XE software. An unauthenticated attacker can remotely obtain the encrypted nonces of an IKEv1 session by sending specially crafted ciphertexts to the targeted device.

More: https://www.securityweek.com/crypto-flaw-affects-products-cisco-huawei-zyxel