Cisco Starts Patching Firmware Bug; Millions of Devices Still Vulnerable

cisco secure boot vulnerability

A flaw in the Secure Boot trusted hardware root-of-trust affects enterprise, military and government network gear, including routers, switches and firewalls.

Cisco has issued a handful of firmware releases for a high-severity vulnerability in Cisco’s proprietary Secure Boot implementation that impacts millions of its hardware devices, across the scope of its portfolio.

The patches are the first in a planned series of firmware updates that will roll out in waves from now through the fall – some products will remain unpatched and vulnerable through November.

Secure Boot is the vendor’s trusted hardware root-of-trust, implemented in a wide range of Cisco products in use among enterprise, military and government networks, including routers, switches and firewalls. The bug (CVE-2019-1649) exists in the logic that handles access control to one of the hardware components. It was disclosed last week.

The vulnerability could allow an authenticated, local attacker to write a modified firmware image to that component. A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, according to Cisco’s advisory.

“The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation,” the networking giant explained.

Dozens of Cisco products are affected (the full list is here).

In Cisco’s updated advisory, the vendor issued fixes for its network and content security devices, as well as some products in the routing gear segment: the Cisco 3000 Series Industrial Security Appliances, Cisco Catalyst 9300 Series Switches, Cisco ASR 1001-HX and 1002-HX Routers, Cisco Catalyst 9500 Series High-Performance Switches, and Cisco Catalyst 9800-40 and 9800-80 Wireless Controllers all now have updates.

Other routing and switching gear patches won’t roll out until July and August, with some products slated for even later fixes, in October and November.

Voice and video devices will get fixes in September.

The good news is that an attacker would need to be local and already have access to the device’s OS, with elevated privileges, in order to exploit the issue.

An attacker would also need to “develop or have access to a platform-specific exploit,” Cisco noted. “An attacker attempting to exploit this vulnerability across multiple affected platforms would need to research each one of those platforms and then develop a platform-specific exploit. Although the research process could be reused across different platforms, an exploit developed for a given hardware platform is unlikely to work on a different hardware platform.”

Also this week, Cisco issued an updated advisory for a medium-severity Cisco FXOS and NX-OS software command injection vulnerability (CVE-2019-1780); it updated the Nexus 3000 Series Switches and Nexus 9000 Series Switches.

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Suggested articles