The Channel logo


By | Richard Chirgwin 13th August 2015 03:56

Cisco network kit warning: Watch out for malware in the firmware

Someone's reverse-engineered ROMMON to craft an admin-level attack

Cisco has warned users to watch out who's got admin access to kit, because it's seen malicious ROM images in the wild.

The problem is that this isn't something the Borg can just issue a patch for. Admins – with appropriate credentials, naturally – need to be able to drop new ROM images on their kit as a matter of course.

"The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks", Cisco says.

In its advisory, the company says "Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image".

ROMMON is the IOS bootstrap, so replacing it means the attacker can "manipulate device behaviour", and if the owner doesn't know there's a malicious image, it will persist beyond a reboot.

The company points to three white papers so users of Cisco IOS Classic platforms can refresh themselves on how to harden devices against such an attack: Cisco IOS Software Integrity Assurance, Cisco Guide to Harden IOS Devices, and Telemetry-Based Infrastructure Device Integrity Monitoring.

It doesn't take a fevered imagination to suggest a pretty sophisticated actor is involved here. Someone needed the skills to reverse-engineer ROMMON, and the resources to suborn sysadmins into installing the malicious image into their networks.

"In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials", the note states, meaning someone back-tracked the attack to the admin account used. ®

comment icon Read 15 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe