I always perform the md5 and/or SHA verification of images on flash
against the Cisco website. This is mainly to ensure a good transfer from
TFTP. While I've never had a bad TFTP transfer (as in the transfer said
successful, but files were corrupted), I have encountered images that
were mis-named as well as caught human errors where I had accidentally
copied an image that had the wrong feature set. The verification helps
prevent these oversights.
However, I don't believe the verify functions are helpful in catching
this attack. Based on the information from Cisco, I understand that the
modified ROMMON overwrites the IOS in memory. Thus the file on flash
will not be modified and will appear normal. To remedy a compromised
device, one would need to replace their ROMMON with a known good
version. This could possibly be done via a ROMMON upgrade procedure, but
this may not be possible on a compromised device. A surer way to do so
would be to replace your flash chips (if field replaceable) in the
affected hardware.
--Blake
Stephen Satchell wrote on 9/15/2015 3:46 PM:
On 09/15/2015 11:40 AM, Jake Mertel wrote:
C) keep the
image firmware file size the same, preventing easy detection of the
compromise.
Hmmm...time to automate the downloading and checksumming of the IOS
images in my router. Hey, Expect, I'm looking at YOU.
Wait a minute...doesn't Cisco have checksums in its file system? This
might be even easier than I thought, no TFTP server required...
http://www.cisco.com/web/about/security/intelligence/iosimage.html#10
Switch#dir *.bin
(Capture the image name)
Switch#verify /md5 my.installed.IOS.image.bin
The output is a bunch of dots (for a switch) followed by an output
line that ends "= xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" with the
x's replaced with the MD5 hash.
The command is on 2811 routers, too. Maybe far more devices, but I
didn't want to take the time to check. You would need to capture the
MD5 from a known good image, and watch for changes.