cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1207
Views
45
Helpful
4
Replies
jamesvc3
Beginner

CSCvn89145 - Cisco Secure Boot Hardware Tampering Vulnerability

The CPLD version returns a value, FPGA version does not and returns "N/A". 

 

(mine)ASR1001X-1#sh hw-programmable R0
Hw-programmable versions

Slot    CPLD version          FPGA version
-----------------------------------------------------------
R0      14041015               N/A

4 REPLIES 4

Does anybody have the foggiest on how to install the upgrade?

I can't find any documentation... The only thing I find is referencing to a .pkg file, but this is a .bin?

So, to install this update, I just transferred the .bin file to the router and had to reload. I would suggest you change your config-register value to 0x2100 to disable auto boot so that when you reload the router, you can manually boot the update file.

 

The update will require a local administrator to be consoled in to start the update and the process doesn't take too much time at all. The update will ask you to press any key to trigger a reload once it finishes, which will then take you back to ROMMON since auto boot is disabled currently. just boot your IOS and remember to change your config-register value back to 0x2102.

 

I suggest disabling auto boot only because there is a bug with the ASR 1001-x where issuing the break sequence will actually stop ROMMON from being able to access the file system, so you'll just be prompted to continually "reset the device to continue". That bug can be seen at the following link: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtq26164/?rfs=iqvred

 

But that was all I needed to do. A "show hw-programmable R0" after the updated showed the updated CPLD version number Cisco identified to determine if a router has been patched.

upload the .bin to the router, set config register to 0x2100
reload router, once in rommon issue boot bootflash:/ASR1K_fpga_prog.16.0.0.xe.bin 
*please note i had to rename file with "ASR1K_ instead of the "ASR1K-" to get FTP to function properly* 

it will boot up into a menu, prompt you if you want to proceed, Y and then it'll then prompt you to reload once the upgrade is complete. reload, get the device booted, reset config register to 0x2102 and that should get you there. I tested this on an ASR-1001x on my bench today as i couldn't get the upgrade hw-programmable method to function/mount correctly. 

 

Thank you. 

AndrewRester9591
Beginner

"14041014" is the "version" you're looking for
for my particular ASR 1001-X, FPGA version of 19022811 or above indicates device has fixed FPGA version.