Bruce Schneier On Cisco ROMMON Firmware Exploit: "This Is Serious" 57
When Bruce Schneier says of a security problem "This is serious," it makes sense to pay attention to it. And that's how he refers to a recently disclosed Cisco vulnerability alert about "an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image." Schneier links to Ars Technica's short description of the attack, which notes The significance of the advisory isn't that the initial firmware can be replaced. As indicated, that's a standard feature not only with Cisco gear but just about any computing device. What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.
"after gaining administrative or physical access" (Score:5, Insightful)
Re: (Score:2, Insightful)
What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.
So, there's a big privilege escalation vulnerability that they haven't identified yet. This is a side effect of something serious that has not yet been isolated by Cisco.
Yeah, that's serious.
Re:"after gaining administrative or physical acces (Score:5, Funny)
A privilege escalation vulnerability that gives physical access? Yeah, that does sound pretty serious.
Re:"after gaining administrative or physical acces (Score:5, Funny)
A privilege escalation vulnerability that gives physical access? Yeah, that does sound pretty serious.
Apparently, once it's been rooted it enables teleportation.
Re: (Score:1)
administrative or physical access
Physical access isn't required to replace the firmware, it can be done remotely. They just meant that you're able to replace the firmware over the serial port. Remotely you could use telnet or ssh.
Re: (Score:3)
Re: (Score:2)
The article says OR physical access, so it sounds like if you know the admin password you can upload a firmware image over the network, which seems to be pretty damn common on network devices.
Re: (Score:3)
Serious Question: Is it ever going to be possible to secure systems that allow firmware to be updated by a remote user?
Isn't it likely that at some point we're going to have to face up to the reality that many things we find to be extremely convenient simply aren't compatible with the notion of security?
Re: (Score:1)
Requiring the firmware to be signed is probably one way to do it. But it's been shown to be more of a speed bump than a wall so far.
You could put a toggle switch on the device that you need to physically move to enable writing to the firmware, and ensure it's implemented in hardware to the memory rather than as a signal to the software so a hacker can't bypass it. Totally possible, but inconvenient. Although since data centres offer remote hands services not terribly so.
Re: (Score:3)
You don't actually need physical access, you just need access to the console port. Most folks don't access their console ports by going around and plugging in rollover cables, they hook the console ports into terminal servers and get remote console access that way.
So yeah, all you really need to is find a way onto the management network and obtain some admin credentials.
Re: (Score:1)
From the section on Entering the Rom Monitor in the manual [cisco.com]
Entering the ROM Monitor
To use the ROM monitor, you must be using a terminal or PC that is connected to the router over the console port.
Perform these steps to configure the router to boot up in ROM monitor mode the next time it is rebooted.
(Emphasis Added)
I think we found our next Star Trek plot (Score:2)
"Cap'n! They hacked the ship's transporter! And then they hacked it again, even worse!"
Re:"after gaining administrative or physical acces (Score:5, Insightful)
Unless of course there's a way to do it remotely using a built in security hole like a default password.
And then it becomes a whole let less "no shit, Sherlock" and becomes a lot more of "what the fuck were they thinking?".
What's key here is if companies are having an epidemic of their admin credentials being obtained through other means, or if there is a means of getting those admin credentials which shouldn't exist.
If it's a bunch of organizations with bad security practices, well, that's kind of hard to fix. If it's pinging the device and saying "give me your credentials", or a security backdoor they implemented ... then it's an entirely different matter.
And in this day in age, I'm afraid my thinking is the security back door isn't so implausible. And I'm afraid if it's that, the issue lies squarely at the feet of Cisco.
Re: (Score:3)
Unless of course there's a way to do it remotely using a built in security hole like a default password.
And then it becomes a whole let less "no shit, Sherlock" and becomes a lot more of "what the fuck were they thinking?".
If there was a backdoor password, someone would have spilled it by now, or it's the best kept secret in the black hat community.
The Cisco advisory is basically saying 'hey, if someone has root, they can do bad shit'. And yeah, that's no shit sherlock
Re: (Score:3)
You're missing the point.
Normally we take it for granted that most devices are insecure if they're not physically secured. From a technical standpoint vulnerability to physical attacks is the least interesting kind; you just tell your clients to lock the network closets, maybe log access to them. But the fact that a class of devices widely deployed -- in fact ubiquitously deployed -- in sensitive roles has been co-opted puts a different light on things.
In fact it flips things entirely around. If there we
Re: (Score:2)
We've always been at war with eastasia
Re: (Score:3)
Disabling security violations from physical access is very dangerous and undesirable. If you do that, how do you recover admin access if the credentials are lost? If you can suggest any solution to that, you have left physical access as an attack vector.
There are mitigations, however. There exists a well documented procedure over serial console to gain admin access to a Cisco router without the password. The catch is that to do so, you must take the router off line and so set off all the network monitors
Re: (Score:2)
Anything that allows the firmware to be updated remotely should require the firmware to be signed, to prevent this sort of attack. Of course the option for someone with physical access should be there to insert their own signing keys, but by default remote users should need to have firmware signed by Cisco, and Cisco should make damn sure that key never leaks out.
Re: (Score:2)
Apparently there are logs of valid admin logins happening. Whatever their vulnerability is, I didn't see any indication it has anything to do with Cisco, much less ROMMON, except that's where the symptoms are.
For all we know the vulnerability is in KeePass and that's a commonality among the admins who are having problems. Obviously Cisco is in the loop, but nobody is showing evidence that it's their fault. If rumors are to be believed, China has been stealing secure info from all the big corps that can't
Re: (Score:2)
You are completely missing the point. Everybody usually gets all excited because a given compromise can be done remotely. The important thing here is that this isn't an exploitable flaw. This is a clear indication that people with knowledge of the admin password and physical access to the device, as well as access to or capability to create the replacement 'IOS", are doing this. It could be the CIA. It could be Cisco. It could be the Chinese. Maybe it is Count Zero. W
Stupid post, but... (Score:2)
even though it's like saying 'attackers with the root password for a unix system have been observed manipulating logs and deleting core system files' deserves security disclosure...
it does also bring up the old double edged sword of requiring signed firmware for devices like this. although a disgruntled admin can certainly cause serious damage, simply being able to hide malicious code at the hardware level via a remote admin interface is bad news.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
I stand corrected... There's a "upgrade rom-monitor file ..." privilege command that allows upgrade from the standard sources (tftp/ftp/http/flash/etc) on most platforms, thus it would trivial to upgrade with administrative access. One would assume a reboot is still necessary, which might raise suspicions, but once installed it may have counter measures to prevent removal or even detect it's installed.
If you're playing the long game, you don't even necessarily need to reboot it. As long as you can cover the tracks of the file being installed, you can just lie in wait until the next maintenance cycle that calls for a reboot of the device. Now, that could be a very long time. For example, rooting a Comcast Cisco router, you could lay in wait for years before it gets rebooted.
That, or just have the fel image tell IOS that it rebooted because of a power failure. Folks see that as the reboot reason, and they
Probably not the NSA then ... (Score:2)
Re:Probably not the NSA then ... (Score:5, Insightful)
Are you honestly expecting the NSA would tell them if they did this?
the NSA won't tell Congress what they do ... WTF makes you think they give a crap what Cisco thinks about it?
It may or not be the NSA doing this, but I think your assumption they'd for forthright in admitting it is misguided. In fact, I assume at this point they'd lie through their teeth.
Re: (Score:2, Interesting)
We know that the NSA routinely intercepts CISCO gear leaving the country, and inserts malware into the firmware. It looks like CISCO customer's finally detected it. I wonder how much money this is costing CISCO, both in terms of support costs and in lost revenue.
What do you do with a network device that had this malware on it? Replacing it with new hardware, preferably from another manufacturer, seems like the only option. Re-flashing the firmware might not kill it (lots of NSA malware is designed to surviv
NSA probably intercepts routers in the US too (Score:3)
Re: (Score:2)
Re: (Score:2)
Sorry, but bullshit.
Show me some place where the NSA has ever said "everything we do is OK according to the Constitution".
What's that? You got nothing? Keep moving along, citizen ... there's nothing to see here.
The NSA, the FBI, local law enforcement, the government ... none of these entities give a crap about the Constitution. They will do anything they can get away to fulfill what they think they're meant to do, or can get away with.
It is not possible to find a million ways around the Constitution and
Re: (Score:2)
Two answers: "they don't" and "logistical convenience".
For export to certain countries of interest, there are convenient (for the NSA) shipping bottlenecks that allow them to root all the devices they care to moving from the US to that country. But that's not generally true.
OTOH, we know the NSA has done more targeted stuff, like inserting an exploit in every PC sold in a small area, as a way to get that exploit to their target who lives in that area. Presumably that's labor intensive.
There's no evidence
Re: (Score:2)
There's no evidence (so far) of someone like Cisco knowingly putting an NSA exploit in everything they sell.
The NSA doesn't intercept all exported routers to a given country, either. Why wouldn't they intercept a single modem being shipped to a single target here in the US? It's no less illegal than most of the other junk they're doing.
A slide leaked by Wikileaks shows Cisco being counted by the NSA as a "strategic partnership". http://www.vrworld.com/2014/05... [vrworld.com]
UPS and Fed Ex's silence on the NSA's involvem
Re: (Score:2)
The NSA doesn't intercept all exported routers to a given country, either
We've certainly done that sort of thing in the past (though I don't know if it was the NSA). Every large printer sold to Iraq in the 80s and up to the first Gulf War had a radio transponder - we knew where every datacenter in the country was when the bombing started. I've heard mixed reports about Xerox machines sold to Russia during the cold war - certainly many of them had cameras that the service tech could harvest, not sure how broadly that was done.
A slide leaked by Wikileaks shows Cisco being counted by the NSA as a "strategic partnership".
Yep, wouldn't surprise me at all if Cisco has a form
Re: (Score:2)
Only ebay? What about other sites? There's even stories about agencies like the NSA intercepting new network gear and placing custom firmware on the device.
$5 says ... (Score:2, Interesting)
Somebody's discovered a backdoor that Cisco installed in Cisco IOS products.
But That's How We've Always Done It! (Score:2)
The significance of the advisory isn't that the initial firmware can be replaced. As indicated, that's a standard feature not only with Cisco gear but just about any computing device.
This is what should change. Firmware being read-write without some significant intervention is a huge factor in the current generation of vulnerabilities. Why is ROMMON write-enabled without moving a jumper or flipping a physical switch on the chassis?
Why can we update firmware on our PCs without needing to reboot into some special mode first? That stuff should be read-only (preferably with a hardware latch on the write-enable pin that's only cleared by a processor reset) as early as possible in the b