Cisco router vulnerabilities could prevent future software updates

A patch won’t completely remediate the problem.
(Haydn Blackey / Flickr)

A pair of vulnerabilities in Cisco routers could, when exploited in tandem, allow hackers to prevent software updates and defeat the “Secure Boot” process that verifies the code running on the hardware, researchers have discovered.

The discovery, made by Red Balloon Security, affects Cisco’s 1001-X router, which the company markets to managed service providers and other businesses. But Red Balloon researchers say they believe it could affect a number of other systems that rely on Cisco’s Trust Anchor module – the feature that helps ensure the code running on hardware is unmodified and authentic. Trust Anchor is also used in Cisco routers and switches.

“This is a significant security weakness which potentially exposes a large number of corporate, government and even military networks to remote attacks,” said Ang Cui, Red Balloon’s founder and chief scientist.

The first of the vulnerabilities, dubbed “Thrangrycat,” would let an attacker bypass the Cisco Trust Anchor and manipulate its firmware, while the second allows for remote code execution into a version of Cisco’s IOS operating system.


Cisco on Monday released a security advisory related to the firmware vulnerability, and said that software updates for that flaw would be coming. The company has patched the IOS vulnerability.

Cisco is “not aware of any malicious use of the vulnerability that is described in this advisory,” a company spokesperson said.

A patch won’t completely remediate the problem, according to Cui.

“Fixing this problem isn’t easy, because to truly remediate it requires a physical replacement of the chip at the heart of the Trust Anchor system,” Cui said. “A firmware patch will help to offset the risks, but it won’t completely eliminate them.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts