Cisco's Trust Anchor module (TAm) can be bypassed through manipulating the bitstream of the Field Programmable Gate Array (FPGA). This component handles access control to a hardware component within Cisco's Secure Boot implementations, which affects multiple products that support this functionality. An authenticated, local attacker could bypass the Secure Boot and make persistent changes to the root trust for software integrity. Additionally, Cisco's IOS XE web UI improperly sanitizes user-input, and could allow an authenticated, remote attack to execute commands. An authenticated, remote attacker could execute commands as root on the vulnerable device.
CVE-2019-1649: Secure Boot Tampering, also known as Thrangrycat
The logic that handles Cisco's Secure Boot improperly checks an area of code that manages the Field Programmable Gate Array (FPGA). The secure boot feature is a proprietary FPGA based implementation used for ensuring chain of trust for software. The secure boot can be bypassed by modifying the bitstream of the FPGA, allowing an authenticated, local attacker to make persistent modification to the root of trust for software integrity.
A local or remote attacker could write a new firmware image to the TAm. When exploited together, these vulnerabilities could allow a remote, authenticated attacker to remotely and persistently bypass Secure Boot and prevent future software updates to the TAm.
This document was written by Madison Oliver.