Bruce Schneier On Cisco ROMMON Firmware Exploit: "This Is Serious"

When Bruce Schneier says of a security problem "This is serious," it makes sense to pay attention to it. And that's how he refers to a recently disclosed Cisco vulnerability alert about "an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image." Schneier links to Ars Technica's short description of the attack, which notes The significance of the advisory isn't that the initial firmware can be replaced. As indicated, that's a standard feature not only with Cisco gear but just about any computing device. What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.

$5 says ...

Somebody's discovered a backdoor that Cisco installed in Cisco IOS products.

Re:Probably not the NSA then ...

[AmiMoJo]

We know that the NSA routinely intercepts CISCO gear leaving the country, and inserts malware into the firmware. It looks like CISCO customer's finally detected it. I wonder how much money this is costing CISCO, both in terms of support costs and in lost revenue.

What do you do with a network device that had this malware on it? Replacing it with new hardware, preferably from another manufacturer, seems like the only option. Re-flashing the firmware might not kill it (lots of NSA malware is designed to survive such attempts to remove it, according to their documentation) so it has to go, and buying replacements from CISCO has every chance of simply upgrading the malware to a version that is harder to detect.