Verify IOS MD5 Hash, Possible Compromised Switch

adonsius_artollo · ‎05-15-2021

I have a Cisco C2960 in production which was compromised. The switch has been pulled and I'm trying to determine if the IOS image was tampered with.

Since the switch is End-of-Life / End-of-Support, I'm unable to get from Cisco what the hash is to validate the authenticity of the image. I'm throwing a Hail Mary and hoping someone has the MD5 hash for the following image to verify against what I have.

Version 12.2(53)SE2

c2960-lanbasek9-mz.122-53.SE2.bin

Any help is highly appreciated, or if someone can direct me to where I may be able to find this info I will be forever indebted.

Thanks,

Andres

marce1000 · ‎05-15-2021

- Perhaps you could just install this gold-starred release :

https://software.cisco.com/download/home/281231709/type/280805680/release/12.2.55-SE12

where you can still verify the md5sum from (as it is available for download).

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Leo Laohoo · ‎05-15-2021

Do you have a Cisco SE/AM? If you do, reach out to them. Cisco PSIRT has published some references and procedures on what-to-do and what-to-collect if operators suspect a Cisco appliance has been compromised. (I am unable to find that document.)

Another thing, describe the "compromise".

My first guess is Smart Install (aka "vstack") was left enabled.