Thangrycat: a deadly Cisco vulnerability named after an emoji 😾😾😾

Originally published at:


Wait, the attacker first got root access to the server before she could use this exploit? Okay, so what the article is saying is that now that the server is compromised, it’s hard to detect that. But again, you had to get root access in the first place.


The interesting thing is not “user who gets root access does bad things” which in of itself isn’t interesting from a security perspective. It’s that the actual attack here is forensically very difficult to detect, and presumably because it embeds itself into the TPM can persist through factory resets potentially making it effectively impossible to mitigate.


Agree that once you are in, this is a very nasty thing you can do. The article also says the benefit to the attacker in terms of actual damage is at this point theoretical. So this exploit does not do harm, exactly, so much as cover up the fact it was done at all. That said, a clever attacker might be able to leverage this for something more “interesting.”

1 Like

It looks like Cory only linked to an article talking about this attack, which doesn’t really have any technical details.

Here’s more information about this vulnerability –

Thrangrycat’s official site which is a goldmine of information:

Cisco’s advisory:


The potential here is huge. You can basically reprogram the FPGA to do whatever you want – that’s pretty damn powerful. You can intercept any requests to overwrite your code to ignore them effectively making the exploit permanent (short of replacing the physical chips). Not saying Joe Script Kiddy can go in and do something here (nothing about programming FPGAs is easy), but I could see a nation state attacker jumping all over this.


Uses an emoji domain!


What seems so shocking about all this is the apparent conceptual confusion:

Mere implementation bugs are a thing that happens(potentially a rather dire one in a context like this; and the TPMs-that-generate-weak-keys incident certainly caused me no end of hassle); but also somewhat expected.

In this case, though, there’s an “um, I don’t even…” gap that I just can’t understand:

Cisco wanted a secure boot arrangement, so they have bits of their boot process cryptographically validating the next step before moving on. Ok, yes, that’s how these things work. Then their hardware root of trust is an FPGA running unverified code out of a little SPI flash chip. The first link in the chain, the one that has to work or all subsequent security guarantees are invalidated. And that solution gets the nod?

I can only assume that someone smarter than me had their reasons; but “we decided that our hardware root of trust should be a field programmable gate array whose bitstream is stored in relatively low paranoia memory rather than a fixed-function part(possibly with some efuses for downgrade resistance or cert revocation) or a paranoid microcontroller that at least stores its firmware on die and cryptographically validates any updates you try to offer it” just baffles me.

On the bright side, some ASA gear can be had for a song if it’s divorced from its support contract or EOL; and a lot of it is x86-with-copious-NICs; which could be a lot more interesting if the secure boot failure allows your preferred unixlike to be installed… Need to see if there’s anything good in the junk closet.

I’m worried about the potential for a destructive exploit. Instead of planting a hidden root kit, just use one of the existing, large bot networks to continuously deliver a destructive attack. This would brick a LOT of Cisco equipment.

Even if you hate Cisco, this is bad. Look in your pocket and count your available cash. How long can you live on it? If the Internet goes away, your Credit Cards stop functioning. All orders of goods and services stop functioning. This outcome is bad for almost everybody.

Unfortunately, there are a few, capable actors that might prefer a dead Internet, and a crashed global economy.

It’s 2019 so now security vulnerabilities are branded using emojis: Meet Thrangrycat, a Cisco router secure boot flaw

1 Like

Yeah, about that…


I look forward to reading Bruce Sterling’s, “Introspection Engine”.

This topic was automatically closed after 5 days. New replies are no longer allowed.