Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bruce Schneier On Cisco ROMMON Firmware Exploit: "This Is Serious"

Posted by timothy on from the how'd-that-happen? dept.

When Bruce Schneier says of a security problem "This is serious," it makes sense to pay attention to it. And that's how he refers to a recently disclosed Cisco vulnerability alert about "an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image." Schneier links to Ars Technica's short description of the attack, which notes The significance of the advisory isn't that the initial firmware can be replaced. As indicated, that's a standard feature not only with Cisco gear but just about any computing device. What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.

5 of 57 comments (clear)

  1. "after gaining administrative or physical access" by DogDude · · Score: 4, Insightful

    Well no shit, Sherlock, really?

    --
    I don't respond to AC's.
  2. Re:"after gaining administrative or physical acces by Anonymous Coward · · Score: 0, Insightful

    Exactly what I thought when I read it.. This isn't news.. It's common f*cking sense to anyone that's been in the field for more than 10 minutes.

  3. Re:"after gaining administrative or physical acces by Anonymous Coward · · Score: 2, Insightful

    What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.

    So, there's a big privilege escalation vulnerability that they haven't identified yet. This is a side effect of something serious that has not yet been isolated by Cisco.

    Yeah, that's serious.

  4. Re:"after gaining administrative or physical acces by gstoddart · · Score: 4, Insightful

    Unless of course there's a way to do it remotely using a built in security hole like a default password.

    And then it becomes a whole let less "no shit, Sherlock" and becomes a lot more of "what the fuck were they thinking?".

    What's key here is if companies are having an epidemic of their admin credentials being obtained through other means, or if there is a means of getting those admin credentials which shouldn't exist.

    If it's a bunch of organizations with bad security practices, well, that's kind of hard to fix. If it's pinging the device and saying "give me your credentials", or a security backdoor they implemented ... then it's an entirely different matter.

    And in this day in age, I'm afraid my thinking is the security back door isn't so implausible. And I'm afraid if it's that, the issue lies squarely at the feet of Cisco.

    --
    Lost at C:>. Found at C.
  5. Re:Probably not the NSA then ... by gstoddart · · Score: 4, Insightful

    Are you honestly expecting the NSA would tell them if they did this?

    the NSA won't tell Congress what they do ... WTF makes you think they give a crap what Cisco thinks about it?

    It may or not be the NSA doing this, but I think your assumption they'd for forthright in admitting it is misguided. In fact, I assume at this point they'd lie through their teeth.

    --
    Lost at C:>. Found at C.