[183772] in North American Network Operators' Group
Re: Synful Knock questions...
daemon@ATHENA.MIT.EDU (Blake Hudson)
Tue Sep 15 18:07:00 2015
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Blake Hudson <blake@ispn.net>
Date: Tue, 15 Sep 2015 17:06:53 -0500
In-Reply-To: <55F883AE.9090705@satchell.net>
Errors-To: nanog-bounces@nanog.org
I always perform the md5 and/or SHA verification of images on flash
against the Cisco website. This is mainly to ensure a good transfer from
TFTP. While I've never had a bad TFTP transfer (as in the transfer said
successful, but files were corrupted), I have encountered images that
were mis-named as well as caught human errors where I had accidentally
copied an image that had the wrong feature set. The verification helps
prevent these oversights.
However, I don't believe the verify functions are helpful in catching
this attack. Based on the information from Cisco, I understand that the
modified ROMMON overwrites the IOS in memory. Thus the file on flash
will not be modified and will appear normal. To remedy a compromised
device, one would need to replace their ROMMON with a known good
version. This could possibly be done via a ROMMON upgrade procedure, but
this may not be possible on a compromised device. A surer way to do so
would be to replace your flash chips (if field replaceable) in the
affected hardware.
--Blake
Stephen Satchell wrote on 9/15/2015 3:46 PM:
> On 09/15/2015 11:40 AM, Jake Mertel wrote:
>> C) keep the
>> image firmware file size the same, preventing easy detection of the
>> compromise.
>
> Hmmm...time to automate the downloading and checksumming of the IOS
> images in my router. Hey, Expect, I'm looking at YOU.
>
> Wait a minute...doesn't Cisco have checksums in its file system? This
> might be even easier than I thought, no TFTP server required...
>
> http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
>
> Switch#dir *.bin
>
> (Capture the image name)
>
> Switch#verify /md5 my.installed.IOS.image.bin
>
> The output is a bunch of dots (for a switch) followed by an output
> line that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the
> x's replaced with the MD5 hash.
>
> The command is on 2811 routers, too. Maybe far more devices, but I
> didn't want to take the time to check. You would need to capture the
> MD5 from a known good image, and watch for changes.
