CVE-2019-1649: Cisco Secure Boot Hardware Tampering Vulnerability

First published: Mon May 13 2019(Updated: )

A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality. The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA. A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image. An attacker will need to fulfill all the following conditions to attempt to exploit this vulnerability: Have privileged administrative access to the device. Be able to access the underlying operating system running on the device; this can be achieved either by using a supported, documented mechanism or by exploiting another vulnerability that would provide an attacker with such access. Develop or have access to a platform-specific exploit. An attacker attempting to exploit this vulnerability across multiple affected platforms would need to research each one of those platforms and then develop a platform-specific exploit. Although the research process could be reused across different platforms, an exploit developed for a given hardware platform is unlikely to work on a different hardware platform.

Credit: ykramarz@cisco.com

Affected Software	Affected Version	How to fix
Cisco Asa 5500 Firmware	<1.1.15
Cisco ASA 5506-X
Cisco Asa 5506h-x
Cisco Asa 5506w-x
Cisco Asa 5508-x
Cisco Asa 5516-x
Cisco Firepower 2100 Firmware	<2.6.1.134
Cisco Firepower 2110
Cisco Firepower 2120
Cisco Firepower 2130
Cisco Firepower 2140
Cisco Firepower 4000 Firmware	<1.0.18
Cisco Firepower 4110
Cisco Firepower 4120
Cisco Firepower 4140
Cisco Firepower 4150
Cisco Firepower 9000 Firmware	<1.0.18
Cisco Firepower 9300
Cisco Ons 15454 Mstp Firmware	<11.1
Cisco Ons 15454 Mstp
Cisco Analog Voice Network Interface Modules Firmware
Cisco Nim-2bri-nt\/te
Cisco Nim-2fox
Cisco Nim-2fxs
Cisco Nim-2fxs\/4fxo
Cisco Nim-2fxs\/4fxop
Cisco Nim-2fxsp
Cisco Nim-4bri-nt\/te
Cisco Nim-4e\/m
Cisco Nim-4fxo
Cisco Nim-4fxs
Cisco Nim-4fxsp
Cisco Integrated Services Router T1\/e1 Voice And Wan Network Interface Modules Firmware
Cisco Nim-1ce1t1-pri
Cisco Nim-1mft-t1\/e1
Cisco Nim-2ce1t1-pri
Cisco Nim-2mft-t1\/e1
Cisco Nim-4mft-t1\/e1
Cisco Nim-8ce1t1-pri
Cisco Nim-8mft-t1\/e1
Cisco Supervisor A\+ Firmware
Cisco N9k-sup-a\+
Cisco Supervisor B\+ Firmware
Cisco N9k-sup-b\+
Cisco 15454-m-wse-k9 Firmware	<11.1
Cisco 15454-m-wse-k9
Cisco IOS XE	<16.12.1
Cisco cBR-8 Converged Broadband Router
Cisco IOS XE	<16.3.9
Cisco IOS XE	>=16.4.0<16.6.7
Cisco IOS XE	>=16.7.0<16.9.4
Cisco IOS XE	>=16.10.0<16.12.1
Cisco Nim-1ge-cu-sfp
Cisco Nim-2ge-cu-sfp
Cisco Sm-x-pvdm-1000
Cisco Sm-x-pvdm-2000
Cisco Sm-x-pvdm-3000
Cisco Sm-x-pvdm-500
Cisco IOS	<15.6\(3\)m7
Cisco IOS	>=15.7<=15.7\(3\)m5
Cisco IOS	>=15.8<15.8\(3\)m3
Cisco IOS	>=15.9<15.9\(3\)m
Cisco 1120 Connected Grid Router
Cisco 1240 Connected Grid Router
Cisco Industrial Security Appliances 3000 Firmware	<1.0.05
Cisco Industrial Security Appliances 3000
Cisco Integrated Services Router 4200 Firmware	<1.1
Cisco 4221 Integrated Services Router
Cisco Integrated Services Router 4300 Firmware	<1.1
Cisco 4321 Integrated Services Router
Cisco 4331 Integrated Services Router
Cisco 4351 Integrated Services Router
Cisco Integrated Services Router 4400 Firmware	<1.1
Cisco 4431 Integrated Services Router
Cisco 44461 Integrated Services Router
Cisco 4451-x Integrated Services Router
Cisco IOS	<15.6\(3\)m6b
Cisco IOS	>=15.7<=15.7\(3\)m4b
Cisco IOS	>=15.8<15.8\(3\)m2a
Cisco 809 Industrial Integrated Services Routers
Cisco 829 Industrial Integrated Services Routers
Cisco Asr 1000 Series Firmware
Cisco Asr 1000-esp100
Cisco Asr 1000 Series
Cisco Asr1000-2t\+20x1ge
Cisco Asr1000-6tge
Cisco Asr1000-esp200
Cisco Asr1000-mip100
Cisco Asr1000-rp3
Cisco Asr 1001 Firmware	=16.0.0
Cisco Asr 1001-hx
Cisco Asr 1001-x
Cisco Asr 1002-hx
Cisco IOS XE	<16.2.1
Cisco A900-rsp2a-128
Cisco A900-rsp2a-64
Cisco A900-rsp3c-200
Cisco A900-rsp3c-400\/w
Cisco Asr-920-10sz-pd
Cisco Asr-920-12cz-a
Cisco Asr-920-12cz-d
Cisco Asr-920-12sz-a
Cisco Asr-920-12sz-d
Cisco Asr-920-12sz-im-cc
Cisco Asr-920-24sz-m
Cisco Asr-920-24tz-im
Cisco Asr-920-24tz-m
Cisco Asr-920-4sz-a
Cisco Asr-920-4sz-d
Cisco C9300-24p
Cisco C9300-24t
Cisco C9300-24u
Cisco C9300-24ux
Cisco C9300-48p
Cisco C9300-48t
Cisco C9300-48u
Cisco C9300-48un
Cisco C9300-48uxm
Cisco Catalyst 9600 Supervisor Engine-1
Cisco Cbr-ccap-lc-40g-r
Cisco Cbr-lc-8d31-16u31
Cisco IOS XR	=7.0.1
Cisco A99-16x100ge-x-se
Cisco A99-32x100ge-cm
Cisco A99-32x100ge-tr
Cisco A99-rp3-se
Cisco A99-rp3-tr
Cisco A9k-16x100ge-cm
Cisco A9k-16x100ge-tr
Cisco A9k-rsp5-se
Cisco A9k-rsp5-tr
Cisco Network Convergence System 1002
Cisco IOS XE	<15.5\(1\)sy4
Cisco C6800-16p10g-xl
Cisco C6800-32p10g-xl
Cisco C6800-8p10g-xl
Cisco C6800-8p40g-xl
Cisco C6800-sup6t-xl
Cisco C6816-x-le
Cisco C6824-x-le-40g
Cisco C6832-x-le
Cisco C6840-x-le-40g
Cisco IOS XE	<16.9.4
Cisco IOS XE	>=16.10<16.12.1
Cisco C9500-12q
Cisco C9500-16x
Cisco C9500-24q
Cisco C9500-24y4c
Cisco C9500-32c
Cisco C9500-32qc
Cisco C9500-40x
Cisco C9500-48y4c
Cisco Catalyst 9800-40 Wireless Controller Firmware
Cisco Catalyst 9800-40 Wireless Controller
Cisco Catalyst 9800-80 Wireless Controller Firmware
Cisco Catalyst 9800-80 Wireless Controller
Cisco Ic3000-k9 Firmware	<1.0.2
Cisco Ic3000-k9
Cisco Nx-os	<8.4.1
Cisco Ds-x9334-k9
Cisco Ncs2k-mr-mxp-k9 Firmware	<11.1
Cisco Ncs2k-mr-mxp-k9
Cisco IOS XR	=7.1.1
Cisco Nc55-24h12f-se
Cisco Nc55-36x100g-a-se
Cisco Nc55-36x100g-s
Cisco Nc55-5504-fc
Cisco Nc55-5516-fc
Cisco Nc55-6x200-dwdm-s
Cisco Nc55-mod-a-s
Cisco Ncs-5501
Cisco Ncs-5501-se
Cisco Ncs-5502
Cisco Ncs-5502-se
Cisco Ncs-55a1-24h
Cisco Ncs-55a1-36h-s
Cisco Ncs-55a1-36h-se
Cisco Ncs-55a2-mod-hd-s
Cisco Ncs-55a2-mod-hx-s
Cisco Ncs-55a2-mod-s
Cisco Ncs-55a2-mod-se-h-s
Cisco Ncs-55a2-mod-se-s
Cisco Network Convergence System 5001
Cisco Network Convergence System 5002
Cisco Nx-os	<9.3\(2\)
Cisco N3k-c31108pc-v
Cisco N3k-c31108tc-v
Cisco N3k-c3132c-z
Cisco N3k-c3264c-e
Cisco N9k-c92300yc
Cisco N9k-c93108tc-ex
Cisco N9k-c93108tc-fx
Cisco N9k-c93180lc-ex
Cisco N9k-c93180yc-ex
Cisco N9k-c93180yc-fx
Cisco N9k-c93240yc-fx2
Cisco N9k-c9348gc-fxp
Cisco Ds-x9648-1536k9
Cisco N77-m312cq-26l
Cisco N77-m348xp-23l
Cisco N77-sup3e
Cisco N7k-m324fq-25l
Cisco N7k-m348xp-25l
Cisco Sm-x-1t3\/e3 Firmware
Cisco Sm-x-1t3\/e3
Cisco Encs 5100 Firmware
Cisco Encs 5100
Cisco Encs 5400 Firmware
Cisco Encs 5400

CVE-2019-1649: Cisco Secure Boot Hardware Tampering Vulnerability

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact