cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

315
Views
25
Helpful
5
Replies
Highlighted
Beginner

Thrangrycat Attacks.

Hi,

 

Our Environment we are using Below Switches 

 

NEXUS 93108 TC

Nexus 93108tc-ex
NEXUS-9K

I want to know Nexus 9k series switches are Vulnerable to Thrangrycat Attacks.or Not ?

if it vulnerable mean how to solve ?

Kindly advise the resolution for the same.

 

 


 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Expert

Re: Thrangrycat Attacks.

Hello Abdul,

read the following document by Cisco Security advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

 

 

In the list of affected devices I see the following line that may apply to your hardware in last column the first NX OS release with the bug fixed, in the middle the bug-id

 

Nexus 9K Fixed with 48p 10G BASE-T and 6p 40G/100G QSFP28 (N9K-C93108TC-EX) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)

 

Details are the following:

 

Details

 

  • An attacker will need to fulfill all the following conditions to attempt to exploit this vulnerability:

    • Have privileged administrative access to the device.
    • Be able to access the underlying operating system running on the device; this can be achieved either by using a supported, documented mechanism or by exploiting another vulnerability that would provide an attacker with such access.
    • Develop or have access to a platform-specific exploit. An attacker attempting to exploit this vulnerability across multiple affected platforms would need to research each one of those platforms and then develop a platform-specific exploit. Although the research process could be reused across different platforms, an exploit developed for a given hardware platform is unlikely to work on a different hardware platform.

     

    • There are no workarounds that address this vulnerability.

      Cisco Guide to Harden Cisco IOS Devices provides information about how to harden the device and secure management access. Implementing the recommendations in this document would reduce the attack surface for this vulnerability.

       

       

      I would recommend for the moment to verify that you have appropriately configured Harderning on your device.

      The bulletin also warns about the risks of the upgrade procedure to fix the bug.

       

      In most cases, the fix will require an on-premise reprogramming of a low-level hardware component that is required for normal device operation. A failure during this reprogramming process may cause the device to become unusable and require a hardware replacement. Customers are advised to consult the Release Note Enclosure for the Cisco bug relevant to their platform for the following information:

      1. Causes that could lead to a failure of the reprogramming process and cause the device to become unusable
      2. A platform-specific set of steps that are required to reprogram a device
      3. The procedure required to determine whether a given device is running an affected firmware version (that therefore must be fixed) or whether the device is already running a fixed firmware version

      The product release notes that are published with each platform-specific fixed software release will include more detailed information about items 2 and 3 in the preceding list. The product release notes should be considered the most up-to-date source of information about these items.

       

      My Notes:

      The attacker needs to know an account with privilege level to be able to perform the attack and needs to know platform specific information about low level programming that is platform specific.

       

      If you have configured all the best practices for Cisco device hardening you should be able to wait for the release of the fixed release of NX-OS. However, the release notes have to be read carefully because this SW upgrade could make the device unusable (in case it would require an RMA).

       

       

      Edit:

      as mentioned by Georg this vulnerability may take advantage of another one about webUI access described here

      https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui

       

      The bulletin mentions only IOS XE on the affected devices, however if my understanding is correct this can be avoided if you disable http and https server on the device.

      Router# show running-config | include ip http server|secure-server
      
      ip http server
      ip http secure-server

      The presence of either command in the device's configuration indicates that the HTTP Server feature is enabled.

      So if you disable both commands in your environment and you manage your switches via SSH only, this should be the workaround even if the bulletin says that there is no workaround. This is just my personal opinion and understanding.

       

       

      Hope to help

      Giuseppe

       

5 REPLIES 5
VIP Mentor

Re: Thrangrycat Attacks.

Hello,

 

check the link below for affected devices and expected patch release dates...

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

 

In addition, the vulnerability works in conjunction with another one (see link below)...

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui

Rising star

Re: Thrangrycat Attacks.

 

 - As usual your only trustworthy source or status w.r.t these problems will be CISCO or your reseller. In fact neither answer on this topic can be considered trustworthy as the source can not be verified.

 M.

Hall of Fame Expert

Re: Thrangrycat Attacks.

Hello Abdul,

read the following document by Cisco Security advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

 

 

In the list of affected devices I see the following line that may apply to your hardware in last column the first NX OS release with the bug fixed, in the middle the bug-id

 

Nexus 9K Fixed with 48p 10G BASE-T and 6p 40G/100G QSFP28 (N9K-C93108TC-EX) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)

 

Details are the following:

 

Details

 

  • An attacker will need to fulfill all the following conditions to attempt to exploit this vulnerability:

    • Have privileged administrative access to the device.
    • Be able to access the underlying operating system running on the device; this can be achieved either by using a supported, documented mechanism or by exploiting another vulnerability that would provide an attacker with such access.
    • Develop or have access to a platform-specific exploit. An attacker attempting to exploit this vulnerability across multiple affected platforms would need to research each one of those platforms and then develop a platform-specific exploit. Although the research process could be reused across different platforms, an exploit developed for a given hardware platform is unlikely to work on a different hardware platform.

     

    • There are no workarounds that address this vulnerability.

      Cisco Guide to Harden Cisco IOS Devices provides information about how to harden the device and secure management access. Implementing the recommendations in this document would reduce the attack surface for this vulnerability.

       

       

      I would recommend for the moment to verify that you have appropriately configured Harderning on your device.

      The bulletin also warns about the risks of the upgrade procedure to fix the bug.

       

      In most cases, the fix will require an on-premise reprogramming of a low-level hardware component that is required for normal device operation. A failure during this reprogramming process may cause the device to become unusable and require a hardware replacement. Customers are advised to consult the Release Note Enclosure for the Cisco bug relevant to their platform for the following information:

      1. Causes that could lead to a failure of the reprogramming process and cause the device to become unusable
      2. A platform-specific set of steps that are required to reprogram a device
      3. The procedure required to determine whether a given device is running an affected firmware version (that therefore must be fixed) or whether the device is already running a fixed firmware version

      The product release notes that are published with each platform-specific fixed software release will include more detailed information about items 2 and 3 in the preceding list. The product release notes should be considered the most up-to-date source of information about these items.

       

      My Notes:

      The attacker needs to know an account with privilege level to be able to perform the attack and needs to know platform specific information about low level programming that is platform specific.

       

      If you have configured all the best practices for Cisco device hardening you should be able to wait for the release of the fixed release of NX-OS. However, the release notes have to be read carefully because this SW upgrade could make the device unusable (in case it would require an RMA).

       

       

      Edit:

      as mentioned by Georg this vulnerability may take advantage of another one about webUI access described here

      https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui

       

      The bulletin mentions only IOS XE on the affected devices, however if my understanding is correct this can be avoided if you disable http and https server on the device.

      Router# show running-config | include ip http server|secure-server
      
      ip http server
      ip http secure-server

      The presence of either command in the device's configuration indicates that the HTTP Server feature is enabled.

      So if you disable both commands in your environment and you manage your switches via SSH only, this should be the workaround even if the bulletin says that there is no workaround. This is just my personal opinion and understanding.

       

       

      Hope to help

      Giuseppe

       

VIP Mentor

Re: Thrangrycat Attacks.

Thanks for this detail, need to do some planning now quite a few devices on that list.
Beginner

Re: Thrangrycat Attacks.


Thank you Team

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards