Cable Modems Vulnerable to Cable Haunt Vulnerabilities

=====================
TL;DR
If you are cautious with the links you click and when processing your email, you will likely not be vulnerable to these flaws. If you use a cable modem for your internet connection, you should check if your modem is vulnerable and follow the step “What should I do” mentioned below.
=====================

In mid-January it was discovered the firmware (defined) of many internet service provider (ISP) modems (specifically combined modems and routers in the same device) was vulnerable to remote takeover by attackers. These vulnerabilities have been named Cable Haunt as an easier to remember reference.

How widespread are the affected modems?
At the least the following manufacturers are affected with up to 200 million vulnerable modems mainly based in Europe but other regions e.g. North America are also affected. Please see also the FAQ “Am I Affected” on the Cable Haunt website.

Arris
COMPAL
Netgear
Sagemcom
Technicolor

Other brands of modems confirmed by the wider community as being vulnerable are:

Cisco EPC3928AD
Cisco/Technicolor DPC3216
Humax HGB10R-02
SMC Electronics SMC D3-CCR-v2
Zoom 5370
Virgin Media’s Super Hub 3 and 4 do not appear to be vulnerable.

How serious are these vulnerabilities?
While the vulnerabilities are serious in their impact, namely complete remote compromise of the device, how an attacker could exploit the vulnerabilities to achieve that outcome is not trivial. As per the researchers:

“This could be exploited by an attacker if you visit a malicious website or if they embed the code, for instance in an advert, on a trusted website. It is important to point out that this is not the only attack vector that can be employed, vulnerable mail-clients, exploited IoT devices, public networks etc. are also viable attack vectors”.

Summary of the Technical Aspects of these vulnerabilities
The vulnerability designated formally as CVE-2019-19494 is a buffer overflow (defined) that if exploited could allow remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device) with kernel level (defined) privileges by using JavaScript (defined) within your web browser. The buffer overflow can be exploited using (according to the researchers: “a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker”.

An important aspect of the above described exploit is that while the attack is a remote attack (using a victim’s web browser) it results in the local compromise of the modems spectrum analyser. Linked to this; a DNS re-bind attack (defined) can be used to enable an attacker the ability to access the compromised spectrum analyser. The result of the above exploits provides the attackers with (according to the researchers): “full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,”. This capability could be used to:

1. Intercept private messages
2. Redirect traffic
3. Add the modems to botnets
4. Replace the devices firmware
5. Instruct the device to ignore remote system updates (which could be used to patch the vulnerabilities, complicating the resolution of a compromised device by its legitimate owner/user)

How can I protect my organisation or myself from these vulnerabilities?\
For in-depth answers from the researchers to answer this question in the context of an internet service provider (ISP), the user of the modem (e.g. within a small business), as an individual or a security researcher, please see the question “What Should I do” on the dedicated Cable Haunt website:

https://cablehaunt.com/

According to Graham Cluley: “Some ISPs in Scandinavia appear to have remotely patched the cable modems of their customers, but others have some catching up to do it seems.
If your cable modem contains a Broadcom chipset you might want to contact your ISP and ask them what they’re doing about this”.

Thank you.

=====================

My sincere thanks to the Cable Haunt researchers Alexander Dalsgaard Krog (Lyrebirds), Jens Hegner Stærmose (Lyrebirds), Kasper Kohsel Terndrup (Lyrebirds) and Simon Vandel Sillesen (Independent) as well as Graham Cluley for the excellent information which this blog post is built upon.

DNS Flag Day Aims to Make DDoS Attacks Harder

Since the 1st of February multiple major DNS (defined) resolvers removed resolver workarounds. The resolvers involved in the initiative include ISC, Cloudflare, Facebook, Cisco, Google (among others).

The workarounds were removed to stop DNS queries not compliant with the following official Requests for Comments (RFC) 1035 and 2671 from being completed(resolved). In more depth; the DNS Flag day page explains these workarounds are being removed due to:

==============
The current DNS is unnecessarily slow and inefficient because of efforts to accommodate a few DNS systems that are not in compliance with DNS standards established two decades ago.

To ensure further sustainability of the system it is time to end these accommodations and remediate the non-compliant systems. This change will make most DNS operations slightly more efficient, and also allow operators to deploy new functionality, including new mechanisms to protect against DDoS attacks.
==============

It appears that DNS amplification and DNS flood attacks are the threats attempting to be mitigated with these changes. A full list of the types of DDoS (defined) attacks is available from the following Cloudflare page (at the end of that page):

It will be interesting to see the effect of these changes on the DNS infrastructure when it is again targeted by botnets (defined) (e.g. made up of Internet of Things (IoT)(defined) or compromised systems or by other means. Such botnets can make use a command and control (C2) (defined) infrastructure.

Thank you.

Vendors Respond to Spectre NG Vulnerabilities

====================
Update: 24th July 2018
====================
I have updated the list of vendor responses below to include further Red Hat versions and CentOS:

Red Hat Enterprise Linux 7:
https://access.redhat.com/errata/RHSA-2018:1629

CentOS 6:
https://lists.centos.org/pipermail/centos-announce/2018-July/022968.html

CentOS 7:
https://lists.centos.org/pipermail/centos-announce/2018-May/022843.html
====================

====================
Update: 19th June 2018
====================
Last Wednesday, the security news and troubleshooting website BleepingComputer published a table detailing the complete list of updates required to mitigate the Meltdown, Spectre and SpectreNG (also known as Spectre variant 4) vulnerabilities for all recent versions of Windows. This is very useful because I realise my previous blog post on Meltdown and Spectre was at times hard to follow (it has a lot of info within it).

As of Tuesday, 12th June Microsoft have released updates to address SpectreNG. While you can install these updates Microsoft have advised their security protections will not be enabled unless you choose to do so. This is due to the lower risk of SpectreNG and also given that enabling the security enhancements of these updates can lead to a performance penalty of up to 8% (as I detailed below).

Microsoft provide step by step advice and guidance if you wish to enable these updates within this security advisory. It is likely other OS vendors will take a similar approach e.g. Red Hat may also choose to distribute these updates but not enable them so as to work around the performance penalty.

For more information on the semi-related Intel Lazy Floating point vulnerability, please see my separate post.

Thank you.

====================
Original Post
====================
On Monday more details of these vulnerabilities were made available by affected vendors among them Red Hat, Google, Intel, IBM and Microsoft. There are two new vulnerabilities named:

Rogue System Register Read (Spectre Variant 3a) (CVE-2018-3640)

Speculative Store Bypass (SSB) (Spectre Variant 4) (CVE-2018-3639)

Why should these vulnerabilities be considered important?

Rogue System Register Read cannot be leveraged by an external attacker; they must instead log onto a vulnerable system and carry out further steps to exploit it. Once exploited the attacker may be able to obtain sensitive information by reading system parameters via side-channel analysis.

For Windows; successful exploitation of this vulnerability will bypass Kernel Address Space Layout Randomization (KASLR) protections. I have talked about ASLR (defined) before but provides this link more detail on kernel ASLR.

Google Project Zero’s Jann Horn and Microsoft’s Ken Johnson first reported Speculative Store Bypass. It can possibly be used by attacker externally (from the internet). I use the term “possibly” since the mitigations added to web browsers following Spectre variant 2 earlier this year will make it more difficult for an attacker to do so. Indeed, Intel rates the risk as “moderate.” This is a more serious vulnerability which may allow an attacker access to read privileged memory areas. An example would be a script running in one browser tab being able to read data from another browser tab.

Red Hat have made available a video more clearly explaining the Speculative Store Bypass (SSB) vulnerability.

How can I protect myself from these vulnerabilities?
At this time microcode updates are being developed by Red Hat, AMD, ARM, Intel, IBM and Microsoft. The affected products from many popular vendors are available from the following links. These vulnerabilities will not be addressed via software fixes but hardware fixes instead.

It is recommended to follow the best practice advice for these vulnerabilities as per the US-CERT namely:

1. Please refer to and monitor the links below for the updates from affected vendors.
2. Test these updates before deploying them widely
3. Ensure the performance impact (anticipated to be between 2 – 8%) is acceptable for the systems you manage/use.

These updates will ship with the mitigations disabled and if appropriate/acceptable for an affected system; the protection (along with its performance impact) can be enabled.

These updates are scheduled to be made available before the end of May. Cloud vendors (e.g. Amazon AWS, Microsoft Azure etc.) will also update their systems once the performance impact is determined and if deemed acceptable.

Thank you.

====================
AMD:
https://www.amd.com/en/corporate/security-updates

ARM:
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Cisco:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel

IBM:
https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Intel:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Microsoft (full impact yet to be determined):
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013

Red Hat:
https://access.redhat.com/security/cve/cve-2018-3639

Oracle:
https://blogs.oracle.com/oraclesecurity/processor-vulnerabilities-cve-2018-3640-and-cve-2018-3639

SUSE:
https://www.suse.com/de-de/support/kb/doc/?id=7022937

Ubuntu:
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4

VMware ESXI, Fusion/Fusion Pro, Workstation/Workstation Pro and vCenter Server:
https://www.vmware.com/security/advisories/VMSA-2018-0012.html

https://kb.vmware.com/s/article/54951

https://kb.vmware.com/s/article/55111
====================

Blog Post Shout Out: Cisco IOS XE and Drupal Security Updates

I wish to provide a respectful shout to the following security advisories and news articles for their coverage of critical security vulnerabilities within Cisco IOS XE and the Drupal CMS (defined) released on the 28th and 29th of March respectively.

The backdoor (defined) account being remediated within the Cisco IOS XE update could have allowed an unauthenticated attack to remotely access the Cisco router or an affected switch and carry out any action allowed by privilege level 15

Meanwhile the Drupal vulnerability (dubbed “Drupalgeddon2”) is rated as highly critical since the vulnerability is both remotely exploitable and easy for an attacker to leverage allowing the attacker to carry out any action they choose.

Please follow the advice within the below linked to advisories and update any affected installations of these products that your organisation may have:

March 2018 Semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication

Cisco Removes Backdoor Account from IOS XE Software (includes mitigations if patching is not possible) by Catalin Cimpanu (Bleeping Computer)

Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002

Drupal Issues Highly Critical Patch: Over 1m Sites Vulnerable by Tom Spring (Kaspersky ThreatPost)

Thank you.

Cisco Issues ASA FirePOWER Appliance Security Updates

In late March; Cisco published a security advisory for the software that powers/operates their Adaptive Security Appliance (ASA) with FirePOWER appliances to address a high severity security issue (assigned 1 CVE (defined)).

Why Should This Issue Be Considered Important?
If you make use of Cisco ASA with FirePower appliances, the software that powers them could be bypassed by an unauthenticated remote attacker (an individual with no prior access to your corporate network) enabling them to bypass the malware detection defences of these appliances (namely the very function/service they are designed to provide can be bypassed).

If such a bypass were used in conjunction with the large numbers of ransomware malware currently being distributed, the result could be disastrous for your company/reputation (however this is likely a worst case scenario).

Moreover, there are no workarounds for this issue. Fortunately, at this time the Cisco Product Security Incident Response Team (PSIRT) is not aware of this issue being publically exploited. This issue was responsibly disclosed (defined) to Cisco by Dikla Barda, Liad Mizrachi, and Oded Vanunu from the Check Point Security Team.

The above mentioned security issue affects the following Cisco security products:

• Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services
• Advanced Malware Protection (AMP) for Networks, 7000 Series Appliances
• Advanced Malware Protection (AMP) for Networks, 8000 Series Appliances
• FirePOWER 7000 Series Appliances
• FirePOWER 8000 Series Appliances
• FirePOWER Threat Defense for Integrated Services Routers (ISRs)
• Next Generation Intrusion Prevention System (NGIPS) for Blue Coat X-Series
• Sourcefire 3D System Appliances
• Virtual Next-Generation Intrusion Prevention System (NGIPSv) for VMware

These products would use versions of Cisco’s Firepower System Software prior to the following fixed/updated versions:

• 5.4.0.7 and later
• 5.4.1.6 and later
• 6.0.1 and later

How Can I Protect Myself from This Issue?
If your organization/business uses any of the above mentioned Cisco security products, please follow the directions within the Cisco security advisory mentioned below to install the necessary security updates:

Cisco Firepower Malware Block Bypass Vulnerability

Thank you.

Cisco Issues Security Update to WebEx Android App

Last week Cisco issued a security update for their WebEx Meetings Android App to resolve a severe permissions issue.

Why Should This Issue Be Considered Important?
This is a serious security issue that could lead to information disclosure and an elevation of privilege (defined) attack. It’s present in all versions of the app that are older than version 8.5.1. As Cisco discusses in it’s security advisory this issue could be exploited by a remote attacker with no previous access to the app by tricking the user of the smartphone into downloading another app that exploits this issue within the WebEx app. If this were to happen any information and permissions/access that the WebEx app has will be then available to the malicious app.

In addition, there are no workarounds for this issue. At this time Cisco has not seen any evidence to show that this issue has been used by attackers.

How Can I Protect Myself From This Issue?
Cisco have released an updated version of the WebEx app to address this issue. The updated app is available from this link (Google Play Store). Graham Cluley’s blog post also contains one piece of further important advice to stay safe when downloading apps or app updates.

Thank you.

Cisco Issues Web Security Appliance Security Updates

In early November Cisco made available security updates to resolve 3 CVEs (defined)(1x critical and 2x high severity) within their Web Security Appliances (WSA).

Why Should These Issues Be Considered Important?
The first and most serious vulnerability could allow an authenticated user (a user already with some level of access to your Cisco appliance) if they pass specific commands as arguments (parameters, defined) to the system scripts used to create certificates that will result in them obtaining root level access (defined) to your security appliance.

The remaining 2 high severity issues could result in a denial of service (DoS, defined) condition when exploited by a remote unauthenticated attacker (i.e. someone with no initial access to your security appliance). These issues are caused by failures to free (make available for use) memory during “opening multiple connections that request file ranges” and retrieving “data from the proxy server cache to terminate a TCP connection.” The result of these denial of service attacks would be your security appliance being temporarily unavailable to carry out it’s role within your organization.

The most severe security issue has no available workaround but the high severity issues have workarounds and indicators of compromise (IOC)(defined) to detect if attacks using these issues have occurred. At this time, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any of these issues being used to attack its customers.

The affected appliances are as follows:

• Critical issue: Cisco AsyncOS for the WSA versions 8.0 and later, both virtual and hardware versions
• High severity issues: Cisco AsyncOS versions 8.0 through 8.8 for Cisco WSA on both virtual and hardware appliances.

Steps to determine if your appliances are affected are provided in the 3 Cisco security advisories mentioned below.

How Can I Protect Myself From These Issues?
If your organization uses any of the above mentioned Cisco Web Security Appliances please follow the directions within the 3 Cisco security advisories mentioned below to install the necessary security updates:

Cisco Web Security Appliance Certificate Generation Command Injection Vulnerability
Cisco Web Security Appliance Range Request Denial of Service Vulnerability Advisory 1
Cisco Web Security Appliance Range Request Denial of Service Vulnerability Advisory 2

Thank you.

Cisco Releases Adaptive Security Appliance (ASA) Security Updates

In late October Cisco released a series of 4 security advisories to resolve 4 high severity CVEs (defined) that could result in a denial of service (DoS)(defined) condition for the affected Cisco networking Adaptive Security Appliance (ASA) software.

Why Should These Issues Be Considered Important?
If you make use of Cisco ASA software an unauthenticated remote attacker (namely an attacker that does not have any prior access to your Cisco software) could potentially prevent that software from performing it’s job by causing that software to reload (stop functioning and then restart).

Reloading could be called a denial of service (DoS) condition since while your software is reloading it’s not doing what it was intended to do within your organization. The attacker would only need to send the software a specifically crafted DHCPv6 (see Aside below for a definition) or UDP (defined) packets (when exploiting the VPN ISAKMP issue which involves IKE (Internet Key Exchange (IKE)) v1; see Aside 3 below for a definition) to exploit these issues.

In the case of the first 2 advisories concerning how the ASA software processes DNS requests (see this post for a non-technical explanation and see Aside 2 below for a more formal definition of DNS) the attacker would only need to send the ASA software specifically crafted packets that will cause the software to generate a DNS request packet.

The above means of attack makes it reasonable easy for an attacker to take advantage of these issues to interrupt the normal operation of your ASA software. Finally, there are no workarounds available for these issues (apart from disabling the affected components, which is not really an option if you make use of them).

How Can I Protect Myself From These Issues?
At this time the Cisco Product Security Incident Response Team (PSIRT) is not aware of any of these issues being exploited by attackers since these issues were discovered during internal security testing.

If your organization uses any of the above mentioned Cisco ASA software please follow the directions within the four Cisco security advisories mentioned below to install the necessary security updates:

Cisco ASA Software DNS Denial of Service Vulnerability Advisory 1
Cisco ASA Software DNS Denial of Service Vulnerability Advisory 2
Cisco ASA Software DHCPv6 Relay Denial of Service Vulnerability
Cisco ASA Software VPN ISAKMP Denial of Service Vulnerability

Thank you.

=======================
Aside:
What is DHCP?
Dynamic Host Configuration Protocol (DHCP) is a protocol that automatically assigns an IP address (defined) to a computing device to enable it to communicate with other devices on that network.

The IP addresses provided can be static (fixed) or dynamic (temporary; these addresses exist for a time known as the leasing time, when the lease expires the device can choose to renew the lease for another lease period e.g. 12 hours). The IP address assigned by DHCP comes from a pool (collection) of free address available for use on that network. The process of being automatically assigned an IP address is similar to being given a phone number so that you can call other phone numbers to speak to other people.

DHCP can also provide other information such as the IP address of the DNS server to a device enabling it to access websites on the internet when a person types a website address into their web browser address bar (DNS is explained in more detail below).

Finally DHCP provides the newly established device on that network with the IP address of the default gateway of that network enabling the device to communicate with other networks (e.g. the wider internet). The default gateway acts as a bridging point from one network to another (usually networks using different protocols e.g. ATM (defined) or Frame Relay (defined)). For example, in your home your wireless router acts as both your default gateway and your DNS server (unless you decide to use custom DNS settings). This router connects your devices (which are part of your Local Network (LAN) to the internet (a Wide Area Network, WAN)).

Please note that DHCPv6 is the IPv6 (defined) equivalent of DHCP (which is used with current generation IPv4 networks).
=======================

=======================
Aside 2:
What is DNS?
DNS (Domain Name Service) works very much like looking a phone number up in a phone book. By doing so it translates website names e.g. www.google.com into an IP address (defined) allowing for example your web browser to connect to Google’s server to display Google’s homepage. However this communication between computers could also be used for any other desired purpose.

DNS can also be used with email services to locate a mail server for you to send a message from your computer to that domain e.g. to bob@example.com An MX (mail exchange record) maps that domain name (example.com) to a list of mail transfer agents (MTA) for that domain. MTAs transfer a message using SMTP (defined) from MTA to MTA until it reaches the MTA for the messages destination.

DNS usually uses UDP (defined) port 53 to communicate with other DNS servers to find the IP address for the website name that you entered. DNS servers also communicate/synchronize with one another to stay up to date with the appropriate domain name to IP address translations using a process known as DNS zone (defined) transfers.
=======================

=======================
Aside 2:
What is Internet Key Exchange (IKE)?
Internet Key Exchange is part of a wider security feature known as IPSec.

IPSec (Internet Protocol Security) is a set of protocols that provide a means of setting up a secure channel of communication between 2 computing devices. Many VPNs (Virtual Private Networks)(defined) used by employees to access data and computers (usually servers) when outside of the office use IPSec to secure the connection between the employee’s device and their corporate office.

IPSec is a framework (recommended means of accomplishing something) and thus it does not stipulate specific hashing algorithms (e.g. SHA-1) or encryption algorithms e.g. RSA or ECC to use when creating a secure channel between 2 devices. Moreover, how the 2 devices exchange public keys are not specified.

A commonly used key exchange mechanism used when IPSec is securing a channel is Internet Key Exchange (IKE)(defined within RFC 2828). This standard is made up of ISAKMP (Internet Security Association and Key Management Protocol (ISAKMP)) and OAKLEY protocols. ISAKMP provides the necessary means of exchanging the encryption keys while OAKLEY actually carries out the exchange.

The establishment of the secure channel happens in two phases described in detail within this Cisco article. The Diffie-Hellman algorithm is used to agree on the public encryption for use within this secure channel within phase 1.

IKE is used with IPSec to provide the following benefits:

• Removes the need to manually set the IPSec security parameters while establishing the connection between two devices.
• Protects against replay attacks (summarized details of such are provided in this thread (this is a long thread, I would advise searching for the keyword “session” within that page)).
• Provides the ability to set a limited lifetime for the IPSec communication channel which takes advantage of the capability for encryption keys to change during an individual IPSec session (essentially providing the capabilities and extra security of a temporary session key.

=======================

Cisco Releases Scheduled Security Updates For IOS and IOS XE

Earlier this week Cisco released security updates to address authentication bypass and denial of service (defined) security vulnerabilities within Cisco IOS and IOS XE.

Why Should These Issues Be Considered Important?
The SSHv2 RSA authentication bypass vulnerability could allow an unauthenticated remote attacker to obtain the access privileges of the logged in user or the privileges of the Virtual Teletype (VTY) line which could be admin privileges. The attacker would however need to know a valid user name and possess a specifically crafted private key. The only workaround to this issue is to disable RSA based SSHv2 authentication.

Meanwhile a vulnerability in the processing of IPv4 packets that require Network Address Translation (NAT) and Multiprotocol Label Switching (MPLS) services could allow an unauthenticated remote attacker to cause your Cisco IOS XE device to stop functioning (namely a denial of service attack. The attacker would only need to send the device a specifically crafted IPv4 (defined) packet.

This flaws affects the following products:

• Cisco ASR 1000 Series
• Cisco ISR 4300 Series
• Cisco ISR 4400 Series
• Cisco Cloud Services 1000v Series Routers

Separately 2 vulnerabilities in the IPv6 snooping feature from the first-hop security features in Cisco IOS and IOS XE Software could also cause a denial of service issue. For an attacker to exploit the insufficient validation of IPv6 ND packets they would only need to send it a malformed IPv6 packet. For the second flaw, the insufficient Control Plane Protection (CPPr) against specific IPv6 ND packets an attacker would need to send a large amount of specifically crafted IPv6 ND packets to a vulnerable device.

For the vulnerabilities involving the processing of IPv4 and IPv6 (defined) packets, no workarounds are available (apart from disabling the IPv6 snooping feature) to mitigate the 2x IPv6 flaws until the appropriate security updates are installed.

The remaining vulnerabilities affect any Cisco device running IOS and/or IOS XE. As you can see, only the access bypass issue is likely to pose a challenge to a determined adversary, all other issues discussed above could potentially be easily exploited.

How Can I Protect Myself From These Issues?
Within the Cisco security advisory you can use the link provided to access the Cisco IOS Software Checker to determine if your Cisco IOS device is vulnerable to these issues. This security advisory also provides the links to the individual advisories for each vulnerability which contain the steps to install the appropriate updates.

Thank you.

Cisco Networking Devices Compromised by SYNful Knock Attack

Update: 23rd September 2015:
The 2 blog posts mentioned below that were written by FireEye found that the SYNful Knock had affected at least 14 routers in countries such as Mexico, Ukraine, India, and the Philippines. However joint research carried out by Cisco and Shadowserver has shown that 199 unique IP addresses are exhibiting SYNful Knock behavior.

ShadowServer’s result are shown within this blog post (which contains further advice on how to prevent this attack affecting your Cisco routers). They intend to keep these statistics updated as time progresses.

In addition, Cisco has created a page regarding SYNful Knock containing useful resources on how to detect and prevent this attack. Their blog post also mentions a Snort Rule (an IPS (defined)) which can be used to detect this attack.

I hope that above additional resources are useful to you in protecting/remediating your network.
Thank you.

=======================
Original Post:
=======================
Last week a series of blog posts were published by FireEye which provide in-depth technical details of an attack named “SYNful Knock”.

In a previous blog post I mentioned that Cisco had released security updates to address an issue that would allow an attacker to install a compromised/tampered with version of the Cisco IOS operating system on Cisco networking devices. SYNful Knock is a very similar attack that carries out those actions to replace the legitimate Cisco IOS with one that can be completely controlled by the attacker by their inclusion of a backdoor (defined).

Why Should This Issue Be Considered Serious?
The exact purpose of this attack is not clear but the result of replacing the legitimate Cisco IOS with a version controlled by an attacker will allow them to conduct surveillance on the data passing through the network device, control all functions/settings of the device as well as using these devices as highly stealthy “beachheads” with which to launch further attacks. Attackers can also direct legitimate users to spoofed websites, carry out data theft and/or denial of service attacks (defined) since your routers could be made to no longer carry out their role/function.

In addition, due to the above mentioned stealthy nature of this attack, it is more difficult than usual to detect whether your Cisco networking devices have been compromised. As noted in this article, Tony Lee of FireEye mentions that this attack is not likely to be the first and only time the Cisco IOS is modified in a stealthy manner and that very similar attacks and more sophisticated attacks are likely to occur in the future.

Moreover this attack affects multiple Cisco networking devices, specifically:

Cisco 1841 router
Cisco 2811 router
Cisco 3825 router

As noted by FireEye, it is very likely that further devices are vulnerable to this attack due to similarities throughout Cisco’s networking devices and since they share the same IOS operating system.

How Can I Protect Myself From This Issue?
FireEye have dedicated a blog post detailing methods used to detect if your Cisco devices are compromised.

If this is the case, they recommend re-imaging your Cisco device with a clean IOS image obtained from Cisco. You can verify that the image is clean “as intended” by checking that the hash value (defined) from Cisco matches the hash value of the image that you have downloaded.

Furthermore FireEye recommend hardening your devices against future attacks of this nature.

Most importantly as noted by FireEye make sure that if you have to re-image a router that it’s settings are customized to meet your needs and that default usernames and passwords are not used.

Finally, it is believed that this attack occurs due to compromised credentials (username and password) being used to initially access the router to carry out the attack or that the credentials are left at the default settings. However as again noted by FireEye if you know that your router did not use default credentials you may need to begin sweeping every device on your network looking for signs of compromise since the attack will most likely have already come from a compromised system/device within your network.

The Mitigation section of FireEye’s second blog post provides a link to a whitepaper to share among your incident response team should a network sweep become necessary.

Thank you.