The Channel logo

News

By | Richard Chirgwin 13th August 2015 03:56

Cisco network kit warning: Watch out for malware in the firmware

Someone's reverse-engineered ROMMON to craft an admin-level attack

Cisco has warned users to watch out who's got admin access to kit, because it's seen malicious ROM images in the wild.

The problem is that this isn't something the Borg can just issue a patch for. Admins – with appropriate credentials, naturally – need to be able to drop new ROM images on their kit as a matter of course.

"The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks", Cisco says.

In its advisory, the company says "Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image".

ROMMON is the IOS bootstrap, so replacing it means the attacker can "manipulate device behaviour", and if the owner doesn't know there's a malicious image, it will persist beyond a reboot.

The company points to three white papers so users of Cisco IOS Classic platforms can refresh themselves on how to harden devices against such an attack: Cisco IOS Software Integrity Assurance, Cisco Guide to Harden IOS Devices, and Telemetry-Based Infrastructure Device Integrity Monitoring.

It doesn't take a fevered imagination to suggest a pretty sophisticated actor is involved here. Someone needed the skills to reverse-engineer ROMMON, and the resources to suborn sysadmins into installing the malicious image into their networks.

"In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials", the note states, meaning someone back-tracked the attack to the admin account used. ®

comment icon Read 15 comments on this article or post a comment alert Send corrections

Opinion

Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella
Stranded_ships

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral

Features

STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'