The July security release consists of security updates for the following software:
Microsoft Office and Microsoft Office Services and Web Apps
Open Source Software
Microsoft Exchange Server
Please note the following information regarding the security updates:
A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
Cisco’s Trust Anchor module (TAm) can be bypassed through manipulating the bitstream of the Field Programmable Gate Array (FPGA). This component handles access control to a hardware component within Cisco’s Secure Boot implementations, which affects multiple products that support this functionality. An authenticated, local attacker could write a new firmware image to the TAm. Additionally, Cisco’s IOS XE web UI improperly sanitizes user-input, and could allow an authenticated, remote attack to execute commands. An authenticated, remote attacker could execute commands as root on the vulnerable device.
CVE-2019-1649: Secure Boot Tampering, also known as Thrangrycat
The logic that handles the access controls to TAm within Cisco’s Secure Boot improperly checks an area of code that manages the Field Programmable Gate Array (FPGA). The TAm is a proprietary hardware chip used for many security services within Cisco products, including nonvolatile secure storage, cryptography services, and as a Secure Unit Device Identifier. The TAm can be bypassed by modifying the bitstream of the FPGA, allowing an authenticated, local attacker to make persistent modification to the TAm.
CVE-2019-1862: IOS XE Web UI Command Injection
The web user interface of Cisco IOS XE improperly sanitizes user-supplied input. This could allow an authenticated, remote attacker to execute commands as root on the underlying Linux shell.
A local or remote attacker could write a new firmware image to the TAm. When exploited together, these vulnerabilities could allow a remote, authenticated attacker to remotely and persistently bypass Secure Boot and prevent future software updates to the TAm.
To exploit CVE-2019-1649, an attacker would need to have privileged administrative access to the device. This type of access could be achieved by exploiting the vulnerability described in CVE-2019-1862 or other potential remote command injection vulnerabilities.
Cisco is in the process of developing and releasing software fixes for all affected platforms. We recommend installing this update when it is available.
Apply the update from Cisco.
Guidance from Cisco recommends that users refer to the Cisco Guide to Harden Cisco IOS Devices, as it provides information about how to harden the device and secure management access. Implementing the recommendations in this document would likely reduce the attack surface for this vulnerability.
A vulnerability in Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an authenticated, remote attacker to access sensitive information.
The vulnerability occurs because the affected software does not properly validate user-supplied input. An attacker could exploit this vulnerability by issuing certain commands with filtered query results on the device. This action may cause returned messages to display confidential system information. A successful exploit could allow the attacker to read sensitive information on the device.
There are no workarounds that address this vulnerability.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Cisco would like to thank Octav Opaschi of Detack GmbH for reporting this vulnerability.
THIS DOCUMENT IS PROVIDED ON AN « AS IS » BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.
Cisco Security Vulnerability Policy
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.