Researchers from the security firm Red Balloon have discovered a remote attack method that could allow hackers to take over Cisco’s 1001-X series router and compromise all of the data and commands sent through the device.
To compromise the company’s routers, the researchers exploited two vulnerabilities. The first is a bug in Cisco’s IOS operating system which would allow an attacker to gain root access to the devices, though this vulnerability can be fixed through a software patch.
The second vulnerability required the researchers to first gain root access to a Cisco router and from there, they were able to bypass the device’s security protection known as Trust Anchor. The network hardware maker has implemented this security feature in almost all of its enterprise devices since 2013.
Since Red Balloon was able to bypass Trust Anchor on Cisco’s 1001-X series router by using device-specific modifications, it means that similar tactics could potentially be used on hundreds of millions of the company’s devices around the world including everything from enterprise routers to network switches and even firewalls.
The tactics employed by Red Balloon could even possibly be used to fully compromise networks running on Cisco’s routers which are used by businesses and governments all over the world.
The security firm’s founder and CEO, Ang Cui provided further insight on the remote attack method its researchers discovered, saying:
“We’ve shown that we can quietly and persistently disable the Trust Anchor. That means we can make arbitrary changes to a Cisco router and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything.”
Cisco responded to the news by announcing a patch for the IOS remote control vulnerability and the company says it will provide fixes for all product families that are potentially vulnerable to secure enclave attacks. However, all of its fixes are still months from release and there are currently no workarounds.
When the patched do become available though, they won’t be able to be pushed remotely and will require an on-premise reprogramming.