05-15-2021 08:29 AM
I have a Cisco C2960 in production which was compromised. The switch has been pulled and I'm trying to determine if the IOS image was tampered with.
Since the switch is End-of-Life / End-of-Support, I'm unable to get from Cisco what the hash is to validate the authenticity of the image. I'm throwing a Hail Mary and hoping someone has the MD5 hash for the following image to verify against what I have.
Version 12.2(53)SE2
c2960-lanbasek9-mz.122-53.SE2.bin
Any help is highly appreciated, or if someone can direct me to where I may be able to find this info I will be forever indebted.
Thanks,
Andres
05-15-2021 08:45 AM
- Perhaps you could just install this gold-starred release :
https://software.cisco.com/download/home/281231709/type/280805680/release/12.2.55-SE12
where you can still verify the md5sum from (as it is available for download).
M.
05-15-2021 05:17 PM
Do you have a Cisco SE/AM? If you do, reach out to them. Cisco PSIRT has published some references and procedures on what-to-do and what-to-collect if operators suspect a Cisco appliance has been compromised. (I am unable to find that document.)
Another thing, describe the "compromise".
My first guess is Smart Install (aka "vstack") was left enabled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide