Beware of the Imitations

Wednesday, September 16, 2015

Jayson Wylie


There have been reports of compromised Cisco IOS files being run in the wild.  There have also been warnings about reversed engineered IOS images been detected.

The article seems to point at an attempt to remove functions that the NSA uses but does not identify the actors involved in the replaced software.  This would be compared to an Apple IOS jailbreak and one would never know what functions are replaced and who is monitoring or have access to the replace images or files.

I would never recommend going away from the original vendor to another without knowing where the software came from or who is controlling it.  It would be hard to find out and technicians, feeling insecure about the original watched features, may feel less monitored if they use another that is available.

The darker side of this is that cyber actors are finding vulnerabilities to be able to remotely inject different code.  This would allow them wide range of actions and access and actions leaving the equipment and the networks they are in compromised.

Network Security Engineers should always feel compelled to be able to upgrade to the latest Cisco IOS for the devices they manage.  It is sometimes a difficult and nerve-racking process but allows them to remove known flaws. Smartnet is required to be purchased for an organization to be able to access the latest images for their devices.

This ongoing service could be abstained from by an organization and other means to grab available images from th Internet sources.  Technicians beware! A like filename could be used with malicious images and leave your network wide open.

Proper access to images provided by Cisco will have an MD5 string that validates the file identified.  This string could be used to ensure validation during the download process but is also something that can be used to verify an image on a device.

There doesn’t seem to be a widespread infection acknowledged or seen but it is recommended that the images be obtained from a valid source and for organizations to involve their technicians in a manual process of checking the validity.

Large organizations that use a management system like Ciscoworks can group like devices and run a script to verify proper images are loaded and being used.  It may also be possible to run a telnet script.

The important thing to know is that proper vendor obtained Cisco IOS images should be used, secured (If available) and verified until this function is built into future IOS functions on startup.  The would be best to check validity, staff alerted and have an FTP server update the image automatically when an improper image is detected.

Possibly Related Articles:
Infosec Island Network->General Operating Systems Security Awareness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.