August 13, 2015
The networking giant has seen some malicious ROM images in the wild, and adds that it could get worse soon.Cisco said earlier today it’s cautioning network administrators to be on the lookout of who’s got root admin rights to some of its equipment.
The issue is that this isn’t something Cisco can simply issue a security patch for the problem and then forget it.
With appropriate credentials, potential hackers could be able to drop new ROM images on routing and switching equipment to cause a number of networking issues.
“The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that Cisco administrators use to manage their networks at all the time”, Cisco says.
In its security advisory, the company says– “Cisco has observed a limited number of cases where attackers, after gaining admin or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON with a malicious ROMMON image”.
To be clear, ROMMON *is* the IOS bootstrap, so replacing it simply means that the attacker can “manipulate device behavior”, and if the owner doesn’t know there’s a malicious image, it will persist beyond a reboot or several reboots afterwards.
The company points to no less than three white papers so that users of Cisco IOS Classic platforms can refresh themselves on how to harden Cisco network gear against such an attack.
Cisco IOS Software Integrity Assurance, Cisco Guide to Harden IOS Devices, and Telemetry-Based Infrastructure Device Integrity Monitoring are those three white papers available on the Cisco site.
And it doesn’t take a wild imagination to suggest that a sophisticated hacker would be involved here.
In fact, someone needed at first the skills to reverse-engineer ROMMON, and then the resources to actually fool sysadmins into installing the malicious image into their networks.
“In almost all of these cases seen by Cisco, attackers accessed the devices using valid administrative credentials”, Cisco states, meaning that someone back-tracked the attack to the admin account used.