Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Networking Security Hardware

Bruce Schneier On Cisco ROMMON Firmware Exploit: "This Is Serious" 57

When Bruce Schneier says of a security problem "This is serious," it makes sense to pay attention to it. And that's how he refers to a recently disclosed Cisco vulnerability alert about "an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image." Schneier links to Ars Technica's short description of the attack, which notes The significance of the advisory isn't that the initial firmware can be replaced. As indicated, that's a standard feature not only with Cisco gear but just about any computing device. What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.
This discussion has been archived. No new comments can be posted.

Bruce Schneier On Cisco ROMMON Firmware Exploit: "This Is Serious"

Comments Filter:
  • by DogDude ( 805747 ) on Thursday August 20, 2015 @08:42AM (#50353481)
    Well no shit, Sherlock, really?
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.

      So, there's a big privilege escalation vulnerability that they haven't identified yet. This is a side effect of something serious that has not yet been isolated by Cisco.

      Yeah, that's serious.

      • by Anonymous Coward on Thursday August 20, 2015 @09:06AM (#50353629)

        A privilege escalation vulnerability that gives physical access? Yeah, that does sound pretty serious.

        • by JustAnotherOldGuy ( 4145623 ) on Thursday August 20, 2015 @10:03AM (#50354023)

          A privilege escalation vulnerability that gives physical access? Yeah, that does sound pretty serious.

          Apparently, once it's been rooted it enables teleportation.

        • by Anonymous Coward

          administrative or physical access

          Physical access isn't required to replace the firmware, it can be done remotely. They just meant that you're able to replace the firmware over the serial port. Remotely you could use telnet or ssh.

          • They are replacing the ROMMON Bootloader, not the firmware image. It is entirely possible that do need physical access to do this, either because the bootloader is a separate ROM IC, or because software requires you to press/hold a button before proceeding. I don't know for sure. Do you have actual experience replacing ROMMON?
        • by Qzukk ( 229616 )

          The article says OR physical access, so it sounds like if you know the admin password you can upload a firmware image over the network, which seems to be pretty damn common on network devices.

          • Serious Question: Is it ever going to be possible to secure systems that allow firmware to be updated by a remote user?

            Isn't it likely that at some point we're going to have to face up to the reality that many things we find to be extremely convenient simply aren't compatible with the notion of security?

            • by Anonymous Coward

              Requiring the firmware to be signed is probably one way to do it. But it's been shown to be more of a speed bump than a wall so far.

              You could put a toggle switch on the device that you need to physically move to enable writing to the firmware, and ensure it's implemented in hardware to the memory rather than as a signal to the software so a hacker can't bypass it. Totally possible, but inconvenient. Although since data centres offer remote hands services not terribly so.

        • You don't actually need physical access, you just need access to the console port. Most folks don't access their console ports by going around and plugging in rollover cables, they hook the console ports into terminal servers and get remote console access that way.

          So yeah, all you really need to is find a way onto the management network and obtain some admin credentials.

          • You'd better tell that to Cisco!

            From the section on Entering the Rom Monitor in the manual [cisco.com]

            Entering the ROM Monitor
            To use the ROM monitor, you must be using a terminal or PC that is connected to the router over the console port.
            Perform these steps to configure the router to boot up in ROM monitor mode the next time it is rebooted.


            (Emphasis Added)
        • "Cap'n! They hacked the ship's transporter! And then they hacked it again, even worse!"

    • by gstoddart ( 321705 ) on Thursday August 20, 2015 @09:25AM (#50353763) Homepage

      Unless of course there's a way to do it remotely using a built in security hole like a default password.

      And then it becomes a whole let less "no shit, Sherlock" and becomes a lot more of "what the fuck were they thinking?".

      What's key here is if companies are having an epidemic of their admin credentials being obtained through other means, or if there is a means of getting those admin credentials which shouldn't exist.

      If it's a bunch of organizations with bad security practices, well, that's kind of hard to fix. If it's pinging the device and saying "give me your credentials", or a security backdoor they implemented ... then it's an entirely different matter.

      And in this day in age, I'm afraid my thinking is the security back door isn't so implausible. And I'm afraid if it's that, the issue lies squarely at the feet of Cisco.

      • Unless of course there's a way to do it remotely using a built in security hole like a default password.

        And then it becomes a whole let less "no shit, Sherlock" and becomes a lot more of "what the fuck were they thinking?".

        If there was a backdoor password, someone would have spilled it by now, or it's the best kept secret in the black hat community.

        The Cisco advisory is basically saying 'hey, if someone has root, they can do bad shit'. And yeah, that's no shit sherlock

    • by hey! ( 33014 )

      You're missing the point.

      Normally we take it for granted that most devices are insecure if they're not physically secured. From a technical standpoint vulnerability to physical attacks is the least interesting kind; you just tell your clients to lock the network closets, maybe log access to them. But the fact that a class of devices widely deployed -- in fact ubiquitously deployed -- in sensitive roles has been co-opted puts a different light on things.

      In fact it flips things entirely around. If there we

      • by Zalbik ( 308903 )

        we were in a cyber-war and didn't know it.

        We've always been at war with eastasia

      • by sjames ( 1099 )

        Disabling security violations from physical access is very dangerous and undesirable. If you do that, how do you recover admin access if the credentials are lost? If you can suggest any solution to that, you have left physical access as an attack vector.

        There are mitigations, however. There exists a well documented procedure over serial console to gain admin access to a Cisco router without the password. The catch is that to do so, you must take the router off line and so set off all the network monitors

    • by AmiMoJo ( 196126 )

      Anything that allows the firmware to be updated remotely should require the firmware to be signed, to prevent this sort of attack. Of course the option for someone with physical access should be there to insert their own signing keys, but by default remote users should need to have firmware signed by Cisco, and Cisco should make damn sure that key never leaks out.

    • Apparently there are logs of valid admin logins happening. Whatever their vulnerability is, I didn't see any indication it has anything to do with Cisco, much less ROMMON, except that's where the symptoms are.

      For all we know the vulnerability is in KeePass and that's a commonality among the admins who are having problems. Obviously Cisco is in the loop, but nobody is showing evidence that it's their fault. If rumors are to be believed, China has been stealing secure info from all the big corps that can't

    • "Well no shit, Sherlock, really?"

      You are completely missing the point. Everybody usually gets all excited because a given compromise can be done remotely. The important thing here is that this isn't an exploitable flaw. This is a clear indication that people with knowledge of the admin password and physical access to the device, as well as access to or capability to create the replacement 'IOS", are doing this. It could be the CIA. It could be Cisco. It could be the Chinese. Maybe it is Count Zero. W

  • even though it's like saying 'attackers with the root password for a unix system have been observed manipulating logs and deleting core system files' deserves security disclosure...

    it does also bring up the old double edged sword of requiring signed firmware for devices like this. although a disgruntled admin can certainly cause serious damage, simply being able to hide malicious code at the hardware level via a remote admin interface is bad news.

    • by Macfox ( 50100 )
      Correct me if I'm wrong... But the significance of this report is that it implies ROMMON can be updated without console (local Physical) access. AFAIK ROMMON is only accessible via the console port on most platforms.
  • If this were the NSA's doing, Cisco probably wouldn't have gone public about it (I'm assuming they'd exchange information with the NSA about a problem of this magnitude).
    • by gstoddart ( 321705 ) on Thursday August 20, 2015 @09:42AM (#50353873) Homepage

      Are you honestly expecting the NSA would tell them if they did this?

      the NSA won't tell Congress what they do ... WTF makes you think they give a crap what Cisco thinks about it?

      It may or not be the NSA doing this, but I think your assumption they'd for forthright in admitting it is misguided. In fact, I assume at this point they'd lie through their teeth.

      • Re: (Score:2, Interesting)

        by AmiMoJo ( 196126 )

        We know that the NSA routinely intercepts CISCO gear leaving the country, and inserts malware into the firmware. It looks like CISCO customer's finally detected it. I wonder how much money this is costing CISCO, both in terms of support costs and in lost revenue.

        What do you do with a network device that had this malware on it? Replacing it with new hardware, preferably from another manufacturer, seems like the only option. Re-flashing the firmware might not kill it (lots of NSA malware is designed to surviv

        • Why would they limit themselves to exported hardware?
          • by PRMan ( 959735 )
            Presumably the Constitution... They do claim to still follow it by their own twisted interpretation.
            • Sorry, but bullshit.

              Show me some place where the NSA has ever said "everything we do is OK according to the Constitution".

              What's that? You got nothing? Keep moving along, citizen ... there's nothing to see here.

              The NSA, the FBI, local law enforcement, the government ... none of these entities give a crap about the Constitution. They will do anything they can get away to fulfill what they think they're meant to do, or can get away with.

              It is not possible to find a million ways around the Constitution and

          • by lgw ( 121541 )

            Two answers: "they don't" and "logistical convenience".

            For export to certain countries of interest, there are convenient (for the NSA) shipping bottlenecks that allow them to root all the devices they care to moving from the US to that country. But that's not generally true.

            OTOH, we know the NSA has done more targeted stuff, like inserting an exploit in every PC sold in a small area, as a way to get that exploit to their target who lives in that area. Presumably that's labor intensive.

            There's no evidence

            • by Rujiel ( 1632063 )

              There's no evidence (so far) of someone like Cisco knowingly putting an NSA exploit in everything they sell.

              The NSA doesn't intercept all exported routers to a given country, either. Why wouldn't they intercept a single modem being shipped to a single target here in the US? It's no less illegal than most of the other junk they're doing.

              A slide leaked by Wikileaks shows Cisco being counted by the NSA as a "strategic partnership". http://www.vrworld.com/2014/05... [vrworld.com]

              UPS and Fed Ex's silence on the NSA's involvem

              • by lgw ( 121541 )

                The NSA doesn't intercept all exported routers to a given country, either

                We've certainly done that sort of thing in the past (though I don't know if it was the NSA). Every large printer sold to Iraq in the 80s and up to the first Gulf War had a radio transponder - we knew where every datacenter in the country was when the bombing started. I've heard mixed reports about Xerox machines sold to Russia during the cold war - certainly many of them had cameras that the service tech could harvest, not sure how broadly that was done.

                A slide leaked by Wikileaks shows Cisco being counted by the NSA as a "strategic partnership".

                Yep, wouldn't surprise me at all if Cisco has a form

  • $5 says ... (Score:2, Interesting)

    by Anonymous Coward

    Somebody's discovered a backdoor that Cisco installed in Cisco IOS products.

  • The significance of the advisory isn't that the initial firmware can be replaced. As indicated, that's a standard feature not only with Cisco gear but just about any computing device.

    This is what should change. Firmware being read-write without some significant intervention is a huge factor in the current generation of vulnerabilities. Why is ROMMON write-enabled without moving a jumper or flipping a physical switch on the chassis?

    Why can we update firmware on our PCs without needing to reboot into some special mode first? That stuff should be read-only (preferably with a hardware latch on the write-enable pin that's only cleared by a processor reset) as early as possible in the b

"Plastic gun. Ingenious. More coffee, please." -- The Phantom comics

Working...