Originally published at: https://boingboing.net/2019/05/22/introspection-engines.html
ā¦
Wait, the attacker first got root access to the server before she could use this exploit? Okay, so what the article is saying is that now that the server is compromised, itās hard to detect that. But again, you had to get root access in the first place.
The interesting thing is not āuser who gets root access does bad thingsā which in of itself isnāt interesting from a security perspective. Itās that the actual attack here is forensically very difficult to detect, and presumably because it embeds itself into the TPM can persist through factory resets potentially making it effectively impossible to mitigate.
Agree that once you are in, this is a very nasty thing you can do. The article also says the benefit to the attacker in terms of actual damage is at this point theoretical. So this exploit does not do harm, exactly, so much as cover up the fact it was done at all. That said, a clever attacker might be able to leverage this for something more āinteresting.ā
It looks like Cory only linked to an article talking about this attack, which doesnāt really have any technical details.
Hereās more information about this vulnerability ā
Thrangrycatās official site which is a goldmine of information:
https://thrangrycat.com/
Ciscoās advisory:
The potential here is huge. You can basically reprogram the FPGA to do whatever you want ā thatās pretty damn powerful. You can intercept any requests to overwrite your code to ignore them effectively making the exploit permanent (short of replacing the physical chips). Not saying Joe Script Kiddy can go in and do something here (nothing about programming FPGAs is easy), but I could see a nation state attacker jumping all over this.
Uses an emoji domain!
What seems so shocking about all this is the apparent conceptual confusion:
Mere implementation bugs are a thing that happens(potentially a rather dire one in a context like this; and the TPMs-that-generate-weak-keys incident certainly caused me no end of hassle); but also somewhat expected.
In this case, though, thereās an āum, I donāt evenā¦ā gap that I just canāt understand:
Cisco wanted a secure boot arrangement, so they have bits of their boot process cryptographically validating the next step before moving on. Ok, yes, thatās how these things work. Then their hardware root of trust is an FPGA running unverified code out of a little SPI flash chip. The first link in the chain, the one that has to work or all subsequent security guarantees are invalidated. And that solution gets the nod?
I can only assume that someone smarter than me had their reasons; but āwe decided that our hardware root of trust should be a field programmable gate array whose bitstream is stored in relatively low paranoia memory rather than a fixed-function part(possibly with some efuses for downgrade resistance or cert revocation) or a paranoid microcontroller that at least stores its firmware on die and cryptographically validates any updates you try to offer itā just baffles me.
On the bright side, some ASA gear can be had for a song if itās divorced from its support contract or EOL; and a lot of it is x86-with-copious-NICs; which could be a lot more interesting if the secure boot failure allows your preferred unixlike to be installedā¦ Need to see if thereās anything good in the junk closet.
Iām worried about the potential for a destructive exploit. Instead of planting a hidden root kit, just use one of the existing, large bot networks to continuously deliver a destructive attack. This would brick a LOT of Cisco equipment.
Even if you hate Cisco, this is bad. Look in your pocket and count your available cash. How long can you live on it? If the Internet goes away, your Credit Cards stop functioning. All orders of goods and services stop functioning. This outcome is bad for almost everybody.
Unfortunately, there are a few, capable actors that might prefer a dead Internet, and a crashed global economy.
Itās 2019 so now security vulnerabilities are branded using emojis: Meet Thrangrycat, a Cisco router secure boot flaw
Yeah, about thatā¦
I look forward to reading Bruce Sterlingās, āIntrospection Engineā.
This topic was automatically closed after 5 days. New replies are no longer allowed.