Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image.
In all cases seen by Cisco, attackers gained access to the devices using valid administrative credentials and then used the ROMMON field upgrade process to install a malicious ROMMON. Once the malicious ROMMON was installed and the IOS device was rebooted, the attacker was able to manipulate device behavior. Utilizing a malicious ROMMON provides attackers an additional advantage as infection will persist through a reboot.
No product vulnerability is leveraged in this attack, and the attacker requires valid administrative credentials or physical access to the box to be successful. The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their network. No CVE will be assigned.
The Cisco PSIRT has recently updated a number of our technical documents to include information regarding the ROMMON attack as well as other threats to Cisco IOS devices. The following whitepapers are publicly available and provide information for preventing, detecting and remediating potential compromise on Cisco IOS devices.
Cisco recommends users of Cisco IOS devices review these documents to understand the types of threats against Cisco IOS devices, and ensure operational procedures include methods for preventing and detecting compromise.
For help with implementing any of the recommendations in the documents, customers should contact their appropriate support organization.
We request your assistance by distributing this information to your constituent organizations to raise awareness about the evolution of threats against Cisco IOS devices.
For questions regarding information in the above documents, contact firstname.lastname@example.org
I have a firepower device and I want to manage it (HTTPS,SSH) over an anyconnect remote vpn connection.
I tried to use the management-access <interface> command, but it shows as 'blacklisted' in firepower.
So is there any other way to achieve...
Has anyone ever implemented it on the Edge router/firewall? I put it about five (5) years ago, and never got any hit.Here is the link: https://team-cymru.org/Services/Bogons/fullbogons-ipv6.txt I thought it was useless back then, but I do not kn...
When I attempt to log into the CIMC it tells me that my password or user ID is incorrect. I have tried "admin" "password". At this point I think that I need to reset the password but am unable to find out how to do so. Pressing F8 while the system boots u...
Questions on ISE, if I can get some definitive answers on how it works? 1. Grace period - when does it start? * Can it be pushed manually onto a client?2. Windows updates - when non-compliant shouldn't the update still run if...
We observe a periodic authentication problem on our 2 ASR1002-X.It is impossible to get to the device either under local accounts or through tacacs, only reboot helps.The software on the two ASRs is the same Cisco IOS Software [Fuji], ASR1000 Software (X8...