cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
725
Views
30
Helpful
7
Replies
Highlighted
Beginner

CSCvn77246 - Cisco Secure Boot Hardware Tampering Vulnerability - 4

For an ASA chassis already running FTD, it seems that we will be waiting for a new FTD image that will either upgrade the firmware.  Is this correct, or will the current ASA ROMMON will be released as an FTD firmware bundle also?  At the moment it appears the only option would be to do a full migration back to ASA in order to upgrade ROMMON and then do another migration back to FTD.  Would it be possible to TFTP boot an FTD as an ASA to simplify/shorten that process somewhat?

7 REPLIES 7
Highlighted
VIP Advocate

Re: CSCvn77246 - Cisco Secure Boot Hardware Tampering Vulnerability - 4

Updated my Firepower 2110 last week to ASA 9.9(2)52. That version included the firmware upgrade for the secure boot hardware. It took ~25 minutes for the Firepower to reboot fully. It actually rebooted 4 or 5 times and each time upgraded another part of the firmware.
Highlighted
Beginner

Re: CSCvn77246 - Cisco Secure Boot Hardware Tampering Vulnerability - 4

Yes, the FirePower chassis have the firmware included--the question is when/how will the ASA chassis firmware be included.

Highlighted
VIP Advocate

Re: CSCvn77246 - Cisco Secure Boot Hardware Tampering Vulnerability - 4

Check the bug information.
They updated it, you have now a ROMMON patch file for every affected ASA model, including installation manual.

Copy paste from the important part (but read the release notes linked in the download sites!):

Fix Delivery Mechanism:
The fixes for this vulnerability will be delivered in the following way:

As part of future Cisco ASA software images. After loading an ASA image with the fix, customer can initiate the FPGA and ROMMON upgrade process.

Links to download firmware bundles
ASA5506-X https://software.cisco.com/download/home/286283326/type/286287669/release/1.1.15
ASA5506H-X https://software.cisco.com/download/home/286286701/type/286287669/release/1.1.15
ASA5506W-X https://software.cisco.com/download/home/286285101/type/286287669/release/1.1.15
ASA5508-X https://software.cisco.com/download/home/286285773/type/286287669/release/1.1.15
ASA5516-X https://software.cisco.com/download/home/286285782/type/286287669/release/1.1.15

Remediation Steps:
The following steps can be performed on an affected device to deploy this software update:

1. Boot an ASA software image
2. At a CLI prompt, type "copy tftp://ip_address/asa5500-firmware-1115.SPA disk0:" to download firmware upgrade bundle
3. Type> "upgrade rommon disk0:asa5500-firmware-1115.SPA"
4. To confirm, press enter
5. The procedure takes about 15~20 minutes. Do not power cycle or reset the system during the procedure.
6. It reboots and boots into ROMMON and starts rommon/fpga upgrade. Once done boot into ASA OS again. Upgrade is complete!
7. User can type "showmon -v" at rommon> to check the bootrom version to be 1.1.15.
8. If upgrade fails, contact a TAC. Do NOT power cycle the system.

Additional information about how to perform this upgrade may be available in the product release notes that accompany the first fixed software release.
Contact your support organization for guidance if additional information is required.
Highlighted
Beginner

Re: CSCvn77246 - Cisco Secure Boot Hardware Tampering Vulnerability - 4

This is what I'm asking about.  Specifically, in your quote, read the first line of the directions:

 

1. Boot an ASA software image.

 

Now please review the questions I posted.  There is NOT an FTD image yet that includes the firmware update for ASA chassis, nor is there a way to update firmware from the FTD command line.

Highlighted
VIP Advocate

Re: CSCvn77246 - Cisco Secure Boot Hardware Tampering Vulnerability - 4

Very sorry, read it the other way around!
You're of course right.
I don't have the box to test, I assume this command doesn't exist on the CLI?
# upgrade rommon
Highlighted
Beginner

Re: CSCvn77246 - Cisco Secure Boot Hardware Tampering Vulnerability - 4

Did you by chance open a TAC case or find any further information regarding FTD models? Thanks.

Highlighted
Beginner

Re: CSCvn77246 - Cisco Secure Boot Hardware Tampering Vulnerability - 4

One year later, Bootrom 1115 is mandatory for installing FTD 6.6.

And still the only solution seems to reimage back to ASA to install RomMon Upgrade and then re-image to FTD.

 

I 'm going to open a TAC Case.

 

Found IT:

https://community.cisco.com/t5/security-documents/asa-x-rommon-upgrade-for-ftd-sensors/ta-p/3746210

 

in short, login to FTD, switch to system support diagnostic-cli

enable

and then follow procedure.

 

Hope this helps.