当前位置:首页 > 网络安全 > 安全通告 > 详情
安全漏洞预警通告-思科设备高危漏洞预警
2019年05月18日   

  1、基本情况

  近日,工信部网络威胁信息共享平台收到关于思科设备高危漏洞的威胁情报,思科公司产品存在两个高危漏洞。攻击者利用这两个漏洞可以远程绕过思科的安全启动机制,并锁定TAm(Trust Anchor模块)的软件更新。目前,思科公司已发布官方补丁。

  2、攻击原理

  2019年5月13日,思科公司产品的两个高危漏洞,第一个被称为“Thrangrycat”漏洞,CVE编号:CVE-2019-1649。利用该漏洞攻击者可通过FPGA(现场可编程门阵列)比特流操作绕过思科设备的TAm(Trust Anchor模块)。第二个漏洞是Cisco IOS XE version 16的远程命令注入漏洞,利用该漏洞攻击者可以root权限远程执行任意代码。综合上述两个漏洞,攻击者可以远程绕过思科的安全启动机制,并锁定TAm(Trust Anchor模块)的软件更新。目前,思科公司已发布官方补丁,但Red Balloon Security认为“Thrangrycat”漏洞是硬件设计缺陷,仅通过软件补丁完全解决此漏洞是非常困难的。

  由于未纰漏漏洞细节,信通院安全所网络安全实验室将对该漏洞持续关注并开展技术研究。

  3、影响范围

  漏洞影响的产品版本包括:

  1) 网络和内容安全设备:

  Cisco ASA 5500-X Series with FirePOWER Services

  Cisco Firepower 2100 Series

  Cisco Firepower 4000 Series

  Cisco Firepower 9000 Series

  2) 路由和交换设备:

  用于Cisco NCS 2000 Series及Cisco ONS 15454 MSTP的10Gbps Optical Encryption Line Card (15454-M-WSE-K9)

  C9500-40X: Cisco Catalyst 9500 Series Switch with 40x 1/10G Gigabit Ethernet (C9500-12Q)

  CBR-8 Converged Broadband Router

  Cisco 1-Port Gigabit Ethernet WAN Network Interface Module (NIM-1GE-CU-SFP)

  Cisco 1120 Connected Grid Router

  Cisco 1240 Connected Grid Router

  Cisco 2-Port Gigabit Ethernet WAN Network Interface Module (NIM-2GE-CU-SFP)

  Cisco 3000 Series Industrial Security Appliances

  Cisco 4000 Series Integrated Services Router Packet 1024-Channel High-Density Voice DSP Module (SM-X-PVDM-1000)

  Cisco 4000 Series Integrated Services Router Packet 2048-Channel High-Density Voice DSP Module (SM-X-PVDM-2000)

  Cisco 4000 Series Integrated Services Router Packet 3080-Channel High-Density Voice DSP Module (SM-X-PVDM-3000)

  Cisco 4000 Series Integrated Services Router Packet 768-Channel High-Density Voice DSP Module (SM-X-PVDM-500)

  Cisco 4221 Integrated Services Router

  Cisco 4331 Integrated Services Router

  Cisco 4351 Integrated Services Router

  Cisco 4431 Integrated Services Router

  Cisco 4431 Integrated Services Router

  Cisco 4451-X Integrated Services Router

  Cisco 4461 Integrated Services Router

  Cisco 5000 Series Enterprise Network Compute System

  Cisco 809 Industrial Integrated Services Routers

  Cisco 829 Industrial Integrated Services Routers

  Cisco ASR 1000 Embedded Services Processor, 200G (ASR1000-ESP200)

  Cisco ASR 1000 Fixed Ethernet Line Card (6x10GE) (ASR1000-6TGE)

  Cisco ASR 1000 Fixed Ethernet Line Card, 2x10GE + 20x1GE (ASR1000-2T+20X1GE)

  Cisco ASR 1000 Series 100-Gbps Embedded Services Processor (ASR 1000-ESP100)

  Cisco ASR 1000 Series Modular Interface Processor (ASR1000-MIP100)

  Cisco ASR 1000 Series Route Processor 3 (Cisco ASR1000-RP3)

  Cisco ASR 1001-HX Router

  Cisco ASR 1001-X

  Cisco ASR 1002-HX Router

  Cisco ASR 900 Series Route Switch Processor 2 - 128G, Base Scale (A900-RSP2A-128)

  Cisco ASR 900 Series Route Switch Processor 2 - 64G, Base Scale (A900-RSP2A-64)

  Cisco ASR 900 Series Route Switch Processor 3 - 200G, Large Scale (A900-RSP3C-200)

  Cisco ASR 900 Series Route Switch Processor and Controller 400G (A900-RSP3C-400/W)

  Cisco ASR 9000 Series 16-Port 100 Gigabit Ethernet Line Card (A99-16X100GE-X-SE)

  Cisco ASR 9000 Series 16-Port 100 Gigabit Ethernet Line Card (A9K-16X100GE-TR, A9K-16X100GE-CM)

  Cisco ASR 9000 Series 32-Port 100 Gigabit Ethernet Line Card (A99-32X100GE-TR, A99-32X100GE-CM)

  Cisco ASR 9000 Series Route Switch Processor 5 for Packet Transport (A9K-RSP5-TR)

  Cisco ASR 9000 Series Route Switch Processor 5 for Service Edge (A9K-RSP5-SE)

  Cisco ASR 920 Series Aggregation Services Routers 10GE and 2-10GE - Passively Cooled DC model (ASR-920-10SZ-PD)

  Cisco ASR 920 Series Aggregation Services Routers 12 x 1/10GE SFP, AC Model (ASR-920-12SZ-A)

  Cisco ASR 920 Series Aggregation Services Routers 12 x 1/10GE SFP, DC Model (ASR-920-12SZ-D)

  Cisco ASR 920 Series Aggregation Services Routers 12GE and 2-10GE - AC model (ASR-920-12CZ-A)

  Cisco ASR 920 Series Aggregation Services Routers 12GE and 2-10GE - DC model (ASR-920-12CZ-D)

  Cisco ASR 920 Series Aggregation Services Routers 24GE Copper and 4-10GE – Modular PSU (ASR-920-24TZ-IM)

  Cisco ASR 920 Series Aggregation Services Routers 24GE Copper and 4-10GE – Modular PSU (ASR-920-24TZ-M)

  Cisco ASR 920 Series Aggregation Services Routers 24GE Fiber and 4-10GE – Modular PSU (ASR-920-24SZ-M)

  Cisco ASR 920 Series Aggregation Services Routers 2GE and 4-10GE - AC model (ASR-920-4SZ-A)

  Cisco ASR 920 Series Aggregation Services Routers 2GE and 4-10GE - DC model (ASR-920-4SZ-D)

  Cisco ASR 920 Series Aggregation Services Routers Conformal Coated - 12GE and 4-10GE, 1 IM Slot (ASR-920-12SZ-IM-CC)

  Cisco ASR 9900 Route Processor 3 for Packet Transport (A99-RP3-TR)

  Cisco ASR 9900 Route Processor 3 for Service Edge (A99-RP3-SE)

  Cisco Catalyst 6800 16-port 10GE with Integrated DFC4-XL (C6800-16P10G-XL)

  Cisco Catalyst 6800 32-port 10GE with Dual Integrated Dual DFC4-XL (C6800-32P10G-XL)

  Cisco Catalyst 6800 8-port 10GE with Integrated DFC4-XL (C6800-8P10G-XL)

  Cisco Catalyst 6800 8-port 40GE with Dual Integrated Dual DFC4-EXL (C6800-8P40G-XL)

  Cisco Catalyst 6800 Series Supervisor Engine 6T XL

  Cisco Catalyst 6816-X-Chassis (Standard Tables) (C6816-X-LE)

  Cisco Catalyst 6824-X-Chassis and 2 x 40G (Standard Tables) (C6824-X-LE-40G)

  Cisco Catalyst 6832-X-Chassis (Standard Tables) (C6832-X-LE)

  Cisco Catalyst 6840-X-Chassis and 2 x 40G (Standard Tables) (C6840-X-LE-40G)

  Cisco Catalyst 9300 Series Switches

  Cisco Catalyst 9500 Series High-Performance Switch with 24x 1/10/25G Gigabit Ethernet + 4x 40/100G Uplink (C9500-24Y4C)

  Cisco Catalyst 9500 Series High-Performance Switch with 32x 100 Gigabit Ethernet (C9500-32C)

  Cisco Catalyst 9500 Series High-Performance Switch with 32x 40 Gigabit Ethernet (C9500-32QC)

  Cisco Catalyst 9500 Series High-Performance Switch with 48x 1/10/25G Gigabit Ethernet + 4x 40/100G Uplink (C9500-48Y4C)

  Cisco Catalyst 9500 Series Switch with 12x 40G Gigabit Ethernet (C9500-12Q)

  Cisco Catalyst 9500 Series Switch with 12x 40G Gigabit Ethernet (C9500-12Q)

  Cisco Catalyst 9500 Series Switch with 16x 1/10G Gigabit Ethernet (C9500-16X)

  Cisco Catalyst 9500 Series Switch with 16x 1/10G Gigabit Ethernet (C9500-16X)

  Cisco Catalyst 9500 Series Switch with 24x 40G Gigabit Ethernet (C9500-24Q)

  Cisco Catalyst 9500 Series Switch with 24x 40G Gigabit Ethernet (C9500-24Q)

  Cisco Catalyst 9500 Series Switch with 40x 1/10G Gigabit Ethernet (C9500-40X)

  Cisco Catalyst 9500 Series Switch with 40x 1/10G Gigabit Ethernet (C9500-40X)

  Cisco Catalyst 9600 Supervisor Engine-1

  Cisco Catalyst 9800-40 Wireless Controller

  Cisco Catalyst 9800-80 Wireless Controller

  Cisco IC3000 Industrial Compute Gateway

  Cisco MDS 9000 Family 24/10 SAN Extension Module (DS-X9334-K9)

  Cisco NCS 200 Series 10/40/100G MR Muxponder (NCS2K-MR-MXP-K9)

  Cisco NCS 5500 12X10, 2X40 2XMPA Line Card Base (NC55-MOD-A-S)

  Cisco NCS 5500 Series 24 Ports of 100GE and 12 Ports of 40GE High-Scale Line Card (NC55-24H12F-SE)

  Cisco NCS 5500 Series 36 ports of 100GE High-Scale Line Card (NC55-36X100G-A-SE)

  Cisco NCS 5504 Fabric Card (NC55-5504-FC)

  Cisco NCS 5516 Fabric Card (NC55-5516-FC)

  Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Chassis (NCS-55A2-MOD-S)

  Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Chassis, Temperature Hardened (NCS-55A2-MOD-HD-S)

  Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Chassis, Temperature Hardened with Conformal Coating (NCS-55A2-MOD-HX-S)

  Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Scale Chassis (NCS-55A2-MOD-SE-S)

  Cisco NCS 55A2 Fixed 24X10G + 16X25G MPA Scale Chassis, Temperature Hardened with Conformal Coating (NCS-55A2-MOD-SE-H-S)

  Cisco NCS5501 - 40x10G and 4x100G Scale Chassis (NCS-5501-SE)

  Cisco NCS5501 Fixed 48x10G and 6x100G Chassis (NCS-5501)

  Cisco NCS5502 - 48x100G Scale Chassis (NCS-5502-SE)

  Cisco NCS5502 Fixed 48x100G Chassis (NCS-5502)

  Cisco NCS55A1 Fixed 24x100G Chassis (NCS-55A1-24H)

  Cisco NCS55A1 Fixed 36x100G Base Chassis (NCS-55A1-36H-S)

  Cisco NCS55A1 Fixed 36x100G Scale Chassis (NCS-55A1-36H-SE)

  Cisco Network Convergence System 1002

  Cisco Network Convergence System 5001

  Cisco Network Convergence System 5002

  Cisco Network Convergence System 5500 Series: 1.2-Tbps IPoDWDM Modular Line Card (NC55-6X200-DWDM-S)

  Cisco Network Convergence System 5500 Series: 36X100G MACsec Modular Line Cards (NC55-36X100G-S)

  Cisco Nexus 31108PC-V, 48 SFP+ and 6 QSFP28 ports (N3K-C31108PC-V)

  Cisco Nexus 31108TC-V, 48 10Gbase-T RJ-45 and 6 QSFP28 ports (N3K-C31108TC-V)

  Cisco Nexus 3132C-Z Switches (N3K-C3132C-Z)

  Cisco Nexus 3264C-E Switches (N3K-C3264C-E)

  Cisco Nexus 7000 M3-Series 48-Port 1/10G Ethernet Module (N7K-M348XP-25L)

  Cisco Nexus 7700 M3-Series 12-Port 100G Ethernet Module (N77-M312CQ-26L)

  Cisco Nexus 7700 M3-Series 24-Port 40G Ethernet Module (N77-M324FQ-25L)

  Cisco Nexus 7700 M3-Series 24-Port 40G Ethernet Module (N7K-M324FQ-25L)

  Cisco Nexus 7700 M3-Series 48-Port 1/10G Ethernet Module (N77-M348XP-23L)

  Cisco Nexus 7700 Supervisor 3 (N77-SUP3E)

  Cisco Packet-over-T3/E3 Service Module (SM-X-1T3/E3)

  Cisco cBR-8 Integrated CCAP 40G Remote PHY Line Card (CBR-CCAP-LC-40G-R)

  Cisco cBR-8 Integrated CCAP Line Card includes 2 DS D3.1 Modules as well as 1 US D3.1 Module (CBR-LC-8D31-16U31)

  MDS 9700 Series Supervisor-3 (DS-X97-SF3-K9)

  Nexus 9200 with 48p 10/25 Gbps and 18p 100G QSFP28 (N9K-C92300YC)

  Nexus 9300 with 48p 1/10G/25G SFP and 6p 40G/100G QSFP28, MACsec, and Unified Ports Capable (N9K-C93180YC-FX)

  Nexus 9300 with 48p 100M/1G BASE-T, 4p 10/25G SFP28 and 2p 40G/100G QSFP28 (N9K-C9348GC-FXP)

  Nexus 9300 with 48p 10G BASE-T and 6p 40G/100G QSFP28, MACsec Capable (N9K-C93108TC-FX)

  Nexus 9K Fixed with 48p 1/10G/25G SFP and 12p 40G/100G QSFP28 (N9K-C93240YC-FX2)

  Nexus 9K Fixed with 48p 1/10G/25G SFP and 6p 40G/100G QSFP28 (N9K-C93180YC-EX)

  Nexus 9K Fixed with 48p 10G BASE-T and 6p 40G/100G QSFP28 (N9K-C93108TC-EX)

  Nexus 9K Fixed with up to 32p 40/50G QSFP+ or up to 18p 100G QSFP28 (N9K-C93180LC-EX)

  Supervisor A+ for Nexus 9500 (N9K-SUP-A+)

  Supervisor B+ for Nexus 9500 (N9K-SUP-B+)

  3) 语音和统一通信设备:

  用于Cisco 4000 Series ISRs的模拟语音网络接口模块 (NIM-2FXO, NIM-4FXO, NIM-2FXS, NIM-4FXS, NIM-2FXS/4FXO, NIM-2FXSP, NIM-4FXSP, NIM-2FXS/4FXOP, NIM-4E/M, NIM-2BRI-NT/TE, NIM-4BRI-NT/TE)

  Cisco 4000 Series Integrated Services Router T1/E1语音和WAN网络接口模块(NIM-1MFT-T1/E1, NIM-2MFT-T1/E1, NIM-4MFT-T1/E1, NIM-8MFT-T1/E1, NIM-1CE1T1-PRI, NIM-2CE1T1-PRI, NIM-8CE1T1-PRI)

  4、处置建议

  目前,思科公司官方已发布补丁修复此漏洞,建议用户立即升级至最新版本。

  5、参考链接

  1) https://thrangrycat.com/

  2) https://www.businesswire.com/news/home/20190513005742/en/Red-Balloon-Security-Discovers-Critical-Vulnerability-Millions

  3) http://cve.scap.org.cn/vuln/VH-CVE-2019-1649