
A Cisco Router Bug Has Global Implications - Dajsvaro
https://www.wired.com/story/cisco-router-bug-secure-boot-trust-anchor/
======
Bluecobra
This article makes it sound like the sky is falling but it's not. In order to
actually exploit CVE-2019-1862, you need to be an _authenticated_ user with
access to the Web UI. Typically management of a router isn't exposed to the
whole Internet.

~~~
sh-run
As a Network Engineer at an org with decent staffing and a great cyber sec
program and as someone who recently started working through the OSCP material.
I'd like to agree with you and I will say I'm not overly worried about this
(we'll still patch the second we can).

Cisco isn't exactly making things hard on attackers. Here's a couple of other
vulnerabilities that could be used in conjunction with this one: Hardcoded
credential vulnerability in IOS-XE (CVE-2018-0150). IOS-XE hasn't been without
privledge escalation vulnerabilities either(eg CVE-2019-1754, among others)

Many orgs are unwilling to take a network outage for patching, especially in
places like their DCs, internet or WAN edges where many of these devices would
be deployed. I'm also aware of companies that are understaffed, where
employees don't have the extra cycles to patch or apply workarounds. These are
the same places that don't have active cyber security departments (no red-
team, no vulnerability scanning, no dot1x and no written cyber security
requirements) and don't budget for redundancy (making it even harder to
patch). It only takes one forgotten NAT and firewall rule or a
misplaced/unapplied ACL to end up with something exposed to the internet that
shouldn't be. With how sophisticated some attackers have become and the slow
rollout of network patches, this will probably be actively exploited even if
it hasn't been already.

------
chrisbolt
The article makes it sound like just one router is affected (ASR 1001-X), but
that's just one model in one line of Cisco routers, and they all appear to be
vulnerable:
[https://tools.cisco.com/security/center/content/CiscoSecurit...](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
sa-20190513-secureboot)

~~~
Kev503
It is always nice to read "This advisory will be updated as additional
information becomes available." /s

------
runciblespoon
Do you think these security defects are really bugs or are back-doors left in
for the state security apparatus? Who or what department is tasked with
testing Cisco devices for security vulnerabilities. I mean didn't anyone test
the devices for potential remote root access and the ability to bypass the
Trust Anchor? Lastly I don't know how an internet router can be not connected
to the Internet and still function?

~~~
Hikikomori
Doubt it. It's the consequence of bad security practices, incompetence at many
levels, rushing to market, and in general how these platforms are designed
(which is a consequence of previous statements).

While there are a lot of CVE's for pretty much all equipment like this from
all vendors they require access to the mgmt interface to be exploited. These
devices to the heavy lifting in ASIC/NPU's, so control plane and forwarding
plane are separated (some things requiring cpu processing such as routing
protocols needs to be forwarded from forwarding plane to control plane), but
requires some configuration to be fully secure, easily done however.

The control plane is typically a linux distro these days (some run freebsd,
QNX, or some in-house developed OS) with some open source applications on top
(Apache or others as web servers are common for mgmt), some proprietary apps,
ASIC drivers etc. A linux distro you seldom are allowed to makes changes to or
update software fearing that it will cause problems for customers, same with
the apps running on it. Even if you do upgrade it you have to get your
customers to do it as well, most upgrades require scheduled downtime and
typically comes with new fun bugs. Most of the CVE's come from the open source
software running on these devices, some from them messing up configuration on
them. Very few come from the proprietary apps as they mainly deal with network
control protocols and not mgmt.

