Cisco patches IOS XE remote command injection flaw

By on
Cisco patches IOS XE remote command injection flaw

But a Secure Boot vulnerability is harder to fix.

Cisco has released patches for products that are vulnerable to a remotely exploitable command injection flaw.

The vulnerability has been given the Common Exposures and Vulnerabilities index of CVE-2019-1649, and was discovered by security researchers Red Balloon. 

It affects the Linux-based Cisco IOS XE operating system version 16.x, and allows remote command injection with root superuser privileges via the web user interface in the software.

An attacker would have to be authenticated as administrator on the target system, however, to take advantage of the vulnerability.

The vulnerability is caused by improper handling of user input, allowing attackers to supply a specially crafted parameter on a web form.

Red Balloon notified Cisco of the above vulnerability in November last year, and says it can be chained with another hardware design flaw, in a combo attack that it calls Thrangrycat (denoted by three angry cat emojis).

Thrangrycat targets the Cisco Trust Anchor proprietary hardware security module in a large number of the company's enterprise routers, switches and firewalls.

Red Balloon found it was possible to make a persistent modification to the Trust Anchor module, through manipulating a field programmable gate array (FPGA) bitstream.

This defeats the Secure Boot process for devices, Red Balloon said, and invalidates Cisco's chain of trust at its root.

Cisco has acknowledged the flaw, and said that an attacker with elevated privileges and access to the underlying operating system on affected devices could exploit the vulnerability to write a modified firmware image to the FPGA.

This, in turn, could allow attackers to either render the vulnerable devices unusable, requiring full hardware replacement, or bypass the Secure Boot verification process to install and boot malicious software, Cisco said.

While there are no workarounds for the flaw currently, Cisco said it will issue software updates.

However, Red Balloon said that as the flaws are within the hardware design, "it is unlikely that any software security patch will fully resolve the fundamental security vulnerability."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
cisco red balloon security

Most Read Articles

Researchers say not to use myGovID until login flaw is fixed

Researchers say not to use myGovID until login flaw is fixed
Aussie Broadband boss says NBN Co could change price construct in months, if it wanted to

Aussie Broadband boss says NBN Co could change price construct in months, if it wanted to
'Zerologon' Windows domain admin bypass exploit released

'Zerologon' Windows domain admin bypass exploit released
Optus, Vocus score first deals in ATO telco carve-up

Optus, Vocus score first deals in ATO telco carve-up
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

A Migration Guide For Businesses Switching Mobile Device Management Solutions
A Migration Guide For Businesses Switching Mobile Device Management Solutions
Plan your post-COVID security strategy
Plan your post-COVID security strategy
The Executive's Guide To The Future Of Work
The Executive's Guide To The Future Of Work
Government Digital Transformation Requires Customer Obsession
Government Digital Transformation Requires Customer Obsession
Master the fundamentals of AWS cost efficiency
Master the fundamentals of AWS cost efficiency

Events

Log In

Username / Email:
Password:
  |  Forgot your password?