Cisco Issues Guidance to Protect Against Rogue IOS Firmware Installation

Update: 20th September 2015: As discussed in a more recent blog post, attackers are now re-imaging Cisco networking devices with modified IOS firmware in order to take control of your networking equipment. These devices can then be used for possible further attacks within your network (among other malicious actions).

The first type of attack using this technique has been called “SYNful Knock”. Details including how to detect, mitigate and recover from this attack are provided in the above linked to blog post.

Thank you.

Original Post:
Earlier this month Cisco issued a security bulletin to notify it’s customers of an evolution in the way that attackers compromise corporate networking devices. After obtaining access to the devices (either physical access or gaining administrative privileges by another means) an attacker can then utilize the standard means of field upgrading the built in firmware of a device.

Why Should These Issues Be Considered Important?
With the attacker modified version of the firmware installed on the Cisco networking devices the attackers can manipulate it’s behavior and settings. In addition since the code is installed in the firmware of the device this means that it persists/survives a reboot of the device and makes removal of the modified firmware far more difficult.

How Can I Protect Myself From These Issues?
Since no vulnerability is used to install unauthorized firmware updates Cisco has provided extensive guidance within their security bulletin to harden the devices against this and other attacks. Please follow the guidance to harden your Cisco IOS devices against these more persistent attacks (advice on removing such threats if your firmware has already been compromised is also provided).

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.