Slashdot Mirror
Bruce Schneier On Cisco ROMMON Firmware Exploit: "This Is Serious"
When Bruce Schneier says of a security problem "This is serious," it makes sense to pay attention to it. And that's how he refers to a recently disclosed Cisco vulnerability alert about "an evolution in attacks against Cisco IOS Classic platforms. Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image." Schneier links to Ars Technica's short description of the attack, which notes The significance of the advisory isn't that the initial firmware can be replaced. As indicated, that's a standard feature not only with Cisco gear but just about any computing device. What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.
Well no shit, Sherlock, really?
I don't respond to AC's.
What's important is that attackers are somehow managing to obtain the administrative credentials required to make unauthorized changes that take control of the networking gear.
So, there's a big privilege escalation vulnerability that they haven't identified yet. This is a side effect of something serious that has not yet been isolated by Cisco.
Yeah, that's serious.
A privilege escalation vulnerability that gives physical access? Yeah, that does sound pretty serious.
Unless of course there's a way to do it remotely using a built in security hole like a default password.
And then it becomes a whole let less "no shit, Sherlock" and becomes a lot more of "what the fuck were they thinking?".
What's key here is if companies are having an epidemic of their admin credentials being obtained through other means, or if there is a means of getting those admin credentials which shouldn't exist.
If it's a bunch of organizations with bad security practices, well, that's kind of hard to fix. If it's pinging the device and saying "give me your credentials", or a security backdoor they implemented ... then it's an entirely different matter.
And in this day in age, I'm afraid my thinking is the security back door isn't so implausible. And I'm afraid if it's that, the issue lies squarely at the feet of Cisco.
Lost at C:>. Found at C.
You're missing the point.
Normally we take it for granted that most devices are insecure if they're not physically secured. From a technical standpoint vulnerability to physical attacks is the least interesting kind; you just tell your clients to lock the network closets, maybe log access to them. But the fact that a class of devices widely deployed -- in fact ubiquitously deployed -- in sensitive roles has been co-opted puts a different light on things.
In fact it flips things entirely around. If there were an easily exploitable remote vulnerability and there were a widespread attack using that, certainly that would be an emergency, but we'd know what to do. Send out an urgent bulletin, get the patch out, work like hell while the customers secure their equipment. But what if this is a widespread physical attack? An occasional instance of this wouldn't be a big deal; you'd expect that occasionally a sloppy facility will intersect with something like a disgruntled employee. But widespread program of physical attack violates one of our underlying assumptions about security, which is that physical vulnerabilities are not a big deal. What's more it suggests a degree of organization, planning and resources that make you wonder: who the hell is doing this, and why?
I think if we look into this and discover an extremely widespread remote exploit is behind it, that will be the happy outcome. If it turns out that someone managed this by physical access, that means we were in a cyber-war and didn't know it.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Correct me if I'm wrong... But the significance of this report is that it implies ROMMON can be updated without console (local Physical) access. AFAIK ROMMON is only accessible via the console port on most platforms.
Area51 - We are watching...
Somebody's discovered a backdoor that Cisco installed in Cisco IOS products.
Are you honestly expecting the NSA would tell them if they did this?
the NSA won't tell Congress what they do ... WTF makes you think they give a crap what Cisco thinks about it?
It may or not be the NSA doing this, but I think your assumption they'd for forthright in admitting it is misguided. In fact, I assume at this point they'd lie through their teeth.
Lost at C:>. Found at C.
A privilege escalation vulnerability that gives physical access? Yeah, that does sound pretty serious.
Apparently, once it's been rooted it enables teleportation.
Just cruising through this digital world at 33 1/3 rpm...
You don't actually need physical access, you just need access to the console port. Most folks don't access their console ports by going around and plugging in rollover cables, they hook the console ports into terminal servers and get remote console access that way.
So yeah, all you really need to is find a way onto the management network and obtain some admin credentials.
Unless of course there's a way to do it remotely using a built in security hole like a default password.
And then it becomes a whole let less "no shit, Sherlock" and becomes a lot more of "what the fuck were they thinking?".
If there was a backdoor password, someone would have spilled it by now, or it's the best kept secret in the black hat community.
The Cisco advisory is basically saying 'hey, if someone has root, they can do bad shit'. And yeah, that's no shit sherlock
Serious Question: Is it ever going to be possible to secure systems that allow firmware to be updated by a remote user?
Isn't it likely that at some point we're going to have to face up to the reality that many things we find to be extremely convenient simply aren't compatible with the notion of security?
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Why would they limit themselves to exported hardware?
Disabling security violations from physical access is very dangerous and undesirable. If you do that, how do you recover admin access if the credentials are lost? If you can suggest any solution to that, you have left physical access as an attack vector.
There are mitigations, however. There exists a well documented procedure over serial console to gain admin access to a Cisco router without the password. The catch is that to do so, you must take the router off line and so set off all the network monitors (you are running those, right?). Further, you will wipe out the configuration on the router when you do so.
That is perfectly adequate to make the tampering evident. The problem comes in if the response to the alarms is an immediate visit to the router to see what might have been done to the configs and to change the admin credentials and nothing else. That's how a replaced rommon could be a problem. Awareness of that vector will suggest reloading a known good copy.
Likewise, it comes in to play if an admin is fired for cause. Again, awareness that the rommon image could have been switched out will suggest that just reviewing the configs and changing the password is not enough.
They are replacing the ROMMON Bootloader, not the firmware image. It is entirely possible that do need physical access to do this, either because the bootloader is a separate ROM IC, or because software requires you to press/hold a button before proceeding. I don't know for sure. Do you have actual experience replacing ROMMON?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The significance of the advisory isn't that the initial firmware can be replaced. As indicated, that's a standard feature not only with Cisco gear but just about any computing device.
This is what should change. Firmware being read-write without some significant intervention is a huge factor in the current generation of vulnerabilities. Why is ROMMON write-enabled without moving a jumper or flipping a physical switch on the chassis?
Why can we update firmware on our PCs without needing to reboot into some special mode first? That stuff should be read-only (preferably with a hardware latch on the write-enable pin that's only cleared by a processor reset) as early as possible in the boot sequence.
The general case is that we do not update firmware while running the device. Even if you did that thirty times in the lifetime of the computer, they'd still be relatively exceptional cases. Why is the default behavior to trust that the OS will be bug-free enough to protect something so critical?
Or maybe I'm just getting old. Break out the UV EPROM-eraser and get off my lawn!
Pining for the days when The Glorious MEEPT!!! graced SlapDash with his wisdom.