Cisco has warned users to watch out who’s got admin access to kit, because it’s seen malicious ROM images in the wild.
The problem is that this isn’t something the Borg can just issue a patch for. Admins – with appropriate credentials, naturally – need to be able to drop new ROM images on their kit as a matter of course.
“The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks”, Cisco says.
In its advisory, the company says “Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image”.
ROMMON is the IOS bootstrap, so replacing it means the attacker can “manipulate device behaviour”, and if the owner doesn’t know there’s a malicious image, it will persist beyond a reboot.
View the full story here