Slashdot Mirror
Bruce Schneier On Cisco ROMMON Firmware Exploit: "This Is Serious"
When Bruce Schneier says of a security problem "This is serious," it makes sense to pay attention to it. And that's how he refers to a recently disclosed Cisco vulnerability alert about "an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image." Schneier links to Ars Technica's short description of the attack, which notes The significance of the advisory isn't that the initial firmware can be replaced. As indicated, that's a standard feature not only with Cisco gear but just about any computing device. What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.
Well no shit, Sherlock, really?
I don't respond to AC's.
Exactly what I thought when I read it.. This isn't news.. It's common f*cking sense to anyone that's been in the field for more than 10 minutes.
What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.
So, there's a big privilege escalation vulnerability that they haven't identified yet. This is a side effect of something serious that has not yet been isolated by Cisco.
Yeah, that's serious.
I'm going with passwords on post-it notes, stuff in Google Docs with unchecked sharing perms or passwords in clear emails.
even though it's like saying 'attackers with the root password for a unix system have been observed manipulating logs and deleting core system files' deserves security disclosure...
it does also bring up the old double edged sword of requiring signed firmware for devices like this. although a disgruntled admin can certainly cause serious damage, simply being able to hide malicious code at the hardware level via a remote admin interface is bad news.
Proofreaders, edirors are.
A privilege escalation vulnerability that gives physical access? Yeah, that does sound pretty serious.
If this were the NSA's doing, Cisco probably wouldn't have gone public about it (I'm assuming they'd exchange information with the NSA about a problem of this magnitude).
It's NSA, therefore not unatuhorized and totally legal. Move on citizen
If they have physical access, you're already screwed. Of course where this really has impact is if you buy used Cisco gear on eBay which might be infected with a malicious ROMMON. This is yet another reason why I won't touch used Cisco gear.
Unless of course there's a way to do it remotely using a built in security hole like a default password.
And then it becomes a whole let less "no shit, Sherlock" and becomes a lot more of "what the fuck were they thinking?".
What's key here is if companies are having an epidemic of their admin credentials being obtained through other means, or if there is a means of getting those admin credentials which shouldn't exist.
If it's a bunch of organizations with bad security practices, well, that's kind of hard to fix. If it's pinging the device and saying "give me your credentials", or a security backdoor they implemented ... then it's an entirely different matter.
And in this day in age, I'm afraid my thinking is the security back door isn't so implausible. And I'm afraid if it's that, the issue lies squarely at the feet of Cisco.
Lost at C:>. Found at C.
You're missing the point.
Normally we take it for granted that most devices are insecure if they're not physically secured. From a technical standpoint vulnerability to physical attacks is the least interesting kind; you just tell your clients to lock the network closets, maybe log access to them. But the fact that a class of devices widely deployed -- in fact ubiquitously deployed -- in sensitive roles has been co-opted puts a different light on things.
In fact it flips things entirely around. If there were an easily exploitable remote vulnerability and there were a widespread attack using that, certainly that would be an emergency, but we'd know what to do. Send out an urgent bulletin, get the patch out, work like hell while the customers secure their equipment. But what if this is a widespread physical attack? An occasional instance of this wouldn't be a big deal; you'd expect that occasionally a sloppy facility will intersect with something like a disgruntled employee. But widespread program of physical attack violates one of our underlying assumptions about security, which is that physical vulnerabilities are not a big deal. What's more it suggests a degree of organization, planning and resources that make you wonder: who the hell is doing this, and why?
I think if we look into this and discover an extremely widespread remote exploit is behind it, that will be the happy outcome. If it turns out that someone managed this by physical access, that means we were in a cyber-war and didn't know it.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Somebody's discovered a backdoor that Cisco installed in Cisco IOS products.
Ahahaha, oh Cisco you're so funny. Mild damage haha.
Firmware is game over territory. But they know that already.
A privilege escalation vulnerability that gives physical access? Yeah, that does sound pretty serious.
Apparently, once it's been rooted it enables teleportation.
Just cruising through this digital world at 33 1/3 rpm...
administrative or physical access
Physical access isn't required to replace the firmware, it can be done remotely. They just meant that you're able to replace the firmware over the serial port. Remotely you could use telnet or ssh.
The article says OR physical access, so it sounds like if you know the admin password you can upload a firmware image over the network, which seems to be pretty damn common on network devices.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Anything that allows the firmware to be updated remotely should require the firmware to be signed, to prevent this sort of attack. Of course the option for someone with physical access should be there to insert their own signing keys, but by default remote users should need to have firmware signed by Cisco, and Cisco should make damn sure that key never leaks out.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
You don't actually need physical access, you just need access to the console port. Most folks don't access their console ports by going around and plugging in rollover cables, they hook the console ports into terminal servers and get remote console access that way.
So yeah, all you really need to is find a way onto the management network and obtain some admin credentials.
Unless of course there's a way to do it remotely using a built in security hole like a default password.
And then it becomes a whole let less "no shit, Sherlock" and becomes a lot more of "what the fuck were they thinking?".
If there was a backdoor password, someone would have spilled it by now, or it's the best kept secret in the black hat community.
The Cisco advisory is basically saying 'hey, if someone has root, they can do bad shit'. And yeah, that's no shit sherlock
Serious Question: Is it ever going to be possible to secure systems that allow firmware to be updated by a remote user?
Isn't it likely that at some point we're going to have to face up to the reality that many things we find to be extremely convenient simply aren't compatible with the notion of security?
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
We've always been at war with eastasia
Apparently there are logs of valid admin logins happening. Whatever their vulnerability is, I didn't see any indication it has anything to do with Cisco, much less ROMMON, except that's where the symptoms are.
For all we know the vulnerability is in KeePass and that's a commonality among the admins who are having problems. Obviously Cisco is in the loop, but nobody is showing evidence that it's their fault. If rumors are to be believed, China has been stealing secure info from all the big corps that can't be bothered to secure their infrastructure, so that's an obvious place to look for footholds.
Bruce seems to think that it would take a State-level actor to modify a ROMMON image. They sure could, but a group slightly less daft than HackingTeam could probably do it too.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
"remote" i.e. no physically connected access... In every network I've seen in the past 30 years, is done via ICANN private addresses (non-internet routeing) or terminal servers using that same type of address space to access the console port. The later counts as physical access. So, do do this we have to access a system with access to both the private address space (sometimes called a jump system) and internet exposed address space. This is so common a practice as to as "it's always done this way". If it's not done this way, you deserve what you get.
This isn't a vulnerability, just a description of poor network administration practice. I expect better of Bruce Schneier.
Why would they limit themselves to exported hardware?
Disabling security violations from physical access is very dangerous and undesirable. If you do that, how do you recover admin access if the credentials are lost? If you can suggest any solution to that, you have left physical access as an attack vector.
There are mitigations, however. There exists a well documented procedure over serial console to gain admin access to a Cisco router without the password. The catch is that to do so, you must take the router off line and so set off all the network monitors (you are running those, right?). Further, you will wipe out the configuration on the router when you do so.
That is perfectly adequate to make the tampering evident. The problem comes in if the response to the alarms is an immediate visit to the router to see what might have been done to the configs and to change the admin credentials and nothing else. That's how a replaced rommon could be a problem. Awareness of that vector will suggest reloading a known good copy.
Likewise, it comes in to play if an admin is fired for cause. Again, awareness that the rommon image could have been switched out will suggest that just reviewing the configs and changing the password is not enough.
You are completely missing the point. Everybody usually gets all excited because a given compromise can be done remotely. The important thing here is that this isn't an exploitable flaw. This is a clear indication that people with knowledge of the admin password and physical access to the device, as well as access to or capability to create the replacement 'IOS", are doing this. It could be the CIA. It could be Cisco. It could be the Chinese. Maybe it is Count Zero. Who knows? But it is someone, and they have access and privileges.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Requiring the firmware to be signed is probably one way to do it. But it's been shown to be more of a speed bump than a wall so far.
You could put a toggle switch on the device that you need to physically move to enable writing to the firmware, and ensure it's implemented in hardware to the memory rather than as a signal to the software so a hacker can't bypass it. Totally possible, but inconvenient. Although since data centres offer remote hands services not terribly so.
They are replacing the ROMMON Bootloader, not the firmware image. It is entirely possible that do need physical access to do this, either because the bootloader is a separate ROM IC, or because software requires you to press/hold a button before proceeding. I don't know for sure. Do you have actual experience replacing ROMMON?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You'd better tell that to Cisco!
From the section on Entering the Rom Monitor in the manual
Entering the ROM Monitor
To use the ROM monitor, you must be using a terminal or PC that is connected to the router over the console port.
Perform these steps to configure the router to boot up in ROM monitor mode the next time it is rebooted.
(Emphasis Added)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The significance of the advisory isn't that the initial firmware can be replaced. As indicated, that's a standard feature not only with Cisco gear but just about any computing device.
This is what should change. Firmware being read-write without some significant intervention is a huge factor in the current generation of vulnerabilities. Why is ROMMON write-enabled without moving a jumper or flipping a physical switch on the chassis?
Why can we update firmware on our PCs without needing to reboot into some special mode first? That stuff should be read-only (preferably with a hardware latch on the write-enable pin that's only cleared by a processor reset) as early as possible in the boot sequence.
The general case is that we do not update firmware while running the device. Even if you did that thirty times in the lifetime of the computer, they'd still be relatively exceptional cases. Why is the default behavior to trust that the OS will be bug-free enough to protect something so critical?
Or maybe I'm just getting old. Break out the UV EPROM-eraser and get off my lawn!
Pining for the days when The Glorious MEEPT!!! graced SlapDash with his wisdom.
A privilege escalation vulnerability that gives physical access? Yeah, that does sound pretty serious.
Sounds like prom night... :-)
Maybe the password was "sanfran".
> Well no shit, Sherlock, really?
O, enlightened one, let me say only this to you: UEFI.
It's like Smart TVs: it's the owner who's not smart.
"Cap'n! They hacked the ship's transporter! And then they hacked it again, even worse!"
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
"No product vulnerability is leveraged in this attack, and the attacker requires valid administrative credentials or physical access to the system to be successful. The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks. No CVE ID will be assigned."
Cisco Systems officials are warning customers of a series of attacks that completely hijack critical networking gear by swapping out the valid ROMMON firmware image with one that's been maliciously altered.
The attackers use valid administrator credentials, an indication the attacks are being carried out either by insiders or people who have otherwise managed to get hold of the highly sensitive passwords required to update and make changes to the Cisco hardware. Short for ROM Monitor, ROMMON is the means for booting Cisco's IOS operating system. Administrators use it to perform a variety of configuration tasks, including recovering lost passwords, downloading software, or in some cases running the router itself.
This is a Non-story.