Security researchers have discovered two big new vulnerabilities in popular Cisco enterprise routers that are used by hundreds of millions around the globe.
One vulnerability is particularly troubling – it allows hackers to bypass the “Trust Anchor” hardware feature, which is just about as fundamental to the routers' security as it sounds like it is.
We explain what you need to know about the Cisco router security flaw, and what you can do if you own a Cisco router yourself.
What's Wrong With the Cisco Routers?
The vulnerabilities were found by researchers at security firm Red Balloon. The first one lets hackers gain root access to the routers thanks to a bug in Cisco’s operating system. It's not too uncommon as bugs go, and Cisco has already issued a Security Advisory to help business IT teams address and patch it.
The second vulnerability is the rough one. Red Balloon was able to bypass the “Trust Anchor” security feature on the Cisco ASR 1001-X series router. This has been a key security element in “almost all of the company’s enterprise devices since 2013,” according to Wired. The vulnerability forces a device to boot normally even when it detects a security breach, compromising all data that flows through the router.
While demonstrated solely on the 1001-X series router, this exploit can be given device-specific modifications that would allow it to completely compromise routers, network switches, and firewalls across over 100 Cisco product families around the globe.
Cisco has since issued a patch for this vulnerability. But, the Red Balloon researchers believe it might not be possible to fully quash the problem without physically adapting the hardware itself.
Cisco Router Bug Implications
The full implications of this news are huge, given the sheer number of Cisco routers in use worldwide, and their importance in enterprise infrastructures.
And if all that wasn't bad enough, it gets worse. The researchers hold that the nature of these vulnerabilities could guide the way towards entirely new manipulations of a core element of the Trust Anchor, FPGA bitstreams. This, in turn, could affect devices beyond those produced by Cisco.
If there's an upside here, it's that there's no evidence that the vulnerability has been actively exploited by bad actors. As mentioned earlier, Cisco has published alerts on the two big risks to help patch it.
Naturally, Cisco stock dropped 4% right after the news broke, but has partially rebounded already. Meanwhile, one litigation firm has put out feelers to see if there's any legal action to be taken against the company.
Still, this certainly isn't the first big security risk for a major tech company, and won't be last. In the end, it's another example of how tech security protocols are a constant uphill battle.