nanog mailing list archives
Re: Synful Knock questions...
From: Blake Hudson <blake () ispn net>
Date: Tue, 15 Sep 2015 17:06:53 -0500
I always perform the md5 and/or SHA verification of images on flash against the Cisco website. This is mainly to ensure a good transfer from TFTP. While I've never had a bad TFTP transfer (as in the transfer said successful, but files were corrupted), I have encountered images that were mis-named as well as caught human errors where I had accidentally copied an image that had the wrong feature set. The verification helps prevent these oversights.
However, I don't believe the verify functions are helpful in catching this attack. Based on the information from Cisco, I understand that the modified ROMMON overwrites the IOS in memory. Thus the file on flash will not be modified and will appear normal. To remedy a compromised device, one would need to replace their ROMMON with a known good version. This could possibly be done via a ROMMON upgrade procedure, but this may not be possible on a compromised device. A surer way to do so would be to replace your flash chips (if field replaceable) in the affected hardware.
--Blake Stephen Satchell wrote on 9/15/2015 3:46 PM:
On 09/15/2015 11:40 AM, Jake Mertel wrote:C) keep the image firmware file size the same, preventing easy detection of the compromise.Hmmm...time to automate the downloading and checksumming of the IOS images in my router. Hey, Expect, I'm looking at YOU.Wait a minute...doesn't Cisco have checksums in its file system? This might be even easier than I thought, no TFTP server required...http://www.cisco.com/web/about/security/intelligence/iosimage.html#10 Switch#dir *.bin (Capture the image name) Switch#verify /md5 my.installed.IOS.image.binThe output is a bunch of dots (for a switch) followed by an output line that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the x's replaced with the MD5 hash.The command is on 2811 routers, too. Maybe far more devices, but I didn't want to take the time to check. You would need to capture the MD5 from a known good image, and watch for changes.
Current thread:
- Re: Synful Knock questions..., (continued)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Valdis . Kletnieks (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Jared Mauch (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Marcin Cieslak (Sep 15)
- Re: Synful Knock questions... Stephen Satchell (Sep 15)
- Re: Synful Knock questions... Valdis . Kletnieks (Sep 15)
- Re: Synful Knock questions... Alain Hebert (Sep 15)
- Re: Synful Knock questions... Blake Hudson (Sep 15)
- Re: Synful Knock questions... Paul Ferguson (Sep 15)
- Re: Synful Knock questions... Roland Dobbins (Sep 15)
- Re: Synful Knock questions... Royce Williams (Sep 16)
- Re: Synful Knock questions... Stephen Fulton (Sep 16)
- Re: Synful Knock questions... Stephen Fulton (Sep 16)
- Re: Synful Knock questions... Jake Mertel (Sep 25)
- Message not available
- Re: Synful Knock questions... Hank Nussbacher (Sep 26)
- Re: Synful Knock questions... Blake Hudson (Sep 16)
- RE: Re: Synful Knock questions... Darden, Patrick (Sep 16)
- Re: Synful Knock questions... Michael Douglas (Sep 16)