cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1986
Views
30
Helpful
7
Replies

CSCvn77246 - Cisco Secure Boot Hardware Tampering Vulnerability - 4

Nick_N
Level 1
Level 1

For an ASA chassis already running FTD, it seems that we will be waiting for a new FTD image that will either upgrade the firmware.  Is this correct, or will the current ASA ROMMON will be released as an FTD firmware bundle also?  At the moment it appears the only option would be to do a full migration back to ASA in order to upgrade ROMMON and then do another migration back to FTD.  Would it be possible to TFTP boot an FTD as an ASA to simplify/shorten that process somewhat?

7 Replies 7

patoberli
VIP Alumni
VIP Alumni
Updated my Firepower 2110 last week to ASA 9.9(2)52. That version included the firmware upgrade for the secure boot hardware. It took ~25 minutes for the Firepower to reboot fully. It actually rebooted 4 or 5 times and each time upgraded another part of the firmware.

Yes, the FirePower chassis have the firmware included--the question is when/how will the ASA chassis firmware be included.

Check the bug information.
They updated it, you have now a ROMMON patch file for every affected ASA model, including installation manual.

Copy paste from the important part (but read the release notes linked in the download sites!):

Fix Delivery Mechanism:
The fixes for this vulnerability will be delivered in the following way:

As part of future Cisco ASA software images. After loading an ASA image with the fix, customer can initiate the FPGA and ROMMON upgrade process.

Links to download firmware bundles
ASA5506-X https://software.cisco.com/download/home/286283326/type/286287669/release/1.1.15
ASA5506H-X https://software.cisco.com/download/home/286286701/type/286287669/release/1.1.15
ASA5506W-X https://software.cisco.com/download/home/286285101/type/286287669/release/1.1.15
ASA5508-X https://software.cisco.com/download/home/286285773/type/286287669/release/1.1.15
ASA5516-X https://software.cisco.com/download/home/286285782/type/286287669/release/1.1.15

Remediation Steps:
The following steps can be performed on an affected device to deploy this software update:

1. Boot an ASA software image
2. At a CLI prompt, type "copy tftp://ip_address/asa5500-firmware-1115.SPA disk0:" to download firmware upgrade bundle
3. Type> "upgrade rommon disk0:asa5500-firmware-1115.SPA"
4. To confirm, press enter
5. The procedure takes about 15~20 minutes. Do not power cycle or reset the system during the procedure.
6. It reboots and boots into ROMMON and starts rommon/fpga upgrade. Once done boot into ASA OS again. Upgrade is complete!
7. User can type "showmon -v" at rommon> to check the bootrom version to be 1.1.15.
8. If upgrade fails, contact a TAC. Do NOT power cycle the system.

Additional information about how to perform this upgrade may be available in the product release notes that accompany the first fixed software release.
Contact your support organization for guidance if additional information is required.

This is what I'm asking about.  Specifically, in your quote, read the first line of the directions:

 

1. Boot an ASA software image.

 

Now please review the questions I posted.  There is NOT an FTD image yet that includes the firmware update for ASA chassis, nor is there a way to update firmware from the FTD command line.

Very sorry, read it the other way around!
You're of course right.
I don't have the box to test, I assume this command doesn't exist on the CLI?
# upgrade rommon

art.robinson
Level 1
Level 1

Did you by chance open a TAC case or find any further information regarding FTD models? Thanks.

One year later, Bootrom 1115 is mandatory for installing FTD 6.6.

And still the only solution seems to reimage back to ASA to install RomMon Upgrade and then re-image to FTD.

 

I 'm going to open a TAC Case.

 

Found IT:

https://community.cisco.com/t5/security-documents/asa-x-rommon-upgrade-for-ftd-sensors/ta-p/3746210

 

in short, login to FTD, switch to system support diagnostic-cli

enable

and then follow procedure.

 

Hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: