Cisco network kit warning: Watch out for malware in the firmware

Someone's reverse-engineered ROMMON to craft an admin-level attack

15 Reg comments Got Tips?

Cisco has warned users to watch out who's got admin access to kit, because it's seen malicious ROM images in the wild.

The problem is that this isn't something the Borg can just issue a patch for. Admins – with appropriate credentials, naturally – need to be able to drop new ROM images on their kit as a matter of course.

"The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks", Cisco says.

In its advisory, the company says "Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image".

ROMMON is the IOS bootstrap, so replacing it means the attacker can "manipulate device behaviour", and if the owner doesn't know there's a malicious image, it will persist beyond a reboot.

The company points to three white papers so users of Cisco IOS Classic platforms can refresh themselves on how to harden devices against such an attack: Cisco IOS Software Integrity Assurance, Cisco Guide to Harden IOS Devices, and Telemetry-Based Infrastructure Device Integrity Monitoring.

It doesn't take a fevered imagination to suggest a pretty sophisticated actor is involved here. Someone needed the skills to reverse-engineer ROMMON, and the resources to suborn sysadmins into installing the malicious image into their networks.

"In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials", the note states, meaning someone back-tracked the attack to the admin account used. ®


Keep Reading

Azure DevOps Services reminds users that, yes, it really is time to pull the plug on Internet Explorer 11

Ignite Sure, it's still wedged in the OS, but maybe you'd prefer something shiny and Chromier?

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

You need to give that plate back to us after you've finished your cake. Yes the fork too. We'll get your coat

In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

Incompatibilities and inconsistent standards support among browsers ensure an ongoing source of headaches

Cisco warns miscreants are crippling IOS XR network gear over the internet with memory black-holes. No patch yet

In brief Plus: Time to dump that old backdoored ZTE mobile hotspot

Life's certainties: Death, taxes, and Cisco patching more serious vulnerabilities

Switchzilla closes off 18 CVE-listed holes, get to work

What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them

Switchzilla says remote networking gear has a grab-bag of holes

Microsoft teases Azure Data Explorer connector for picking its Synapse analytics service's brains

What do you mean you're not on board the Big Data bus?

If you never thought you'd hear a Microsoftie tell you to stop using Internet Explorer, lap it up: 'I beg you, let it retire to great bitbucket in the sky'

We say take off and nuke the entire codebase from orbit. It's the only way to be sure

Biting the hand that feeds IT © 1998–2020