Cisco IOS ROMMON Vulnerability

Brief Description

Cisco IOS ROMMON Vulnerability. Cisco have identified occurrences in the field where the ROMMON IOS image of a device has been replaced with a malicious version that gives the attacker remote access to the device and therefore effectively completely control its behaviour.

Assessment Of Vulnerability

We would say that the risk level low and whilst you should be aware of the risk in normal circumstances there is not too much to be concerned about. Cisco have marked it as “Mild Damage” severity and “Possible” when it comes to urgency. The key component to consider here is that the attacker requires full access to the device in order to carry out the IOS replacement, either via. physical access to the device or full remote access. If a person with malicious intent has either of those advantages, this particular form of attack is probably low down your list of immediate concerns.

As long as the security protocols you have in place are already solid i.e. good levels of security on all your devices, then the risk level for your site is low. This quote sums it up perfectly: “The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks.”

Checking A Cisco IOS File

A quick way of checking to see whether the IOS on a device is legitimate is by using the using verify command. The device will need to be connected to the Internet to conduct this test.

First do a show ver and make a note of the full filename of the system image file:

Cisco IOS 1

Then simply use the verify command with the following syntax from enable mode:
verify [filename]

Wait for the process to run and if the image file is valid, you will receive a successfully verified message.

Cisco IOS 2

Options And Recommendations

While the risk level is low in this particular case, there are always options that you have in order to protect yourself and it is good practice to run a secure network. This particular vulnerability does not have a specific patch or fix as it based on the attacker having general access to the device, but there are a few things to consider.

If you are ever in any doubt about a breach of any description, it is always a good idea to change all of your passwords, both at a user level with applications, and at network level with routers, firewalls etc. Make sure your passwords are strong and follow good practice – if in doubt, we have a guide here.

It is probably also a good idea to take the opportunity to review who has access to what and what access levels people have. Maybe streamline the operation and remove unnecessary access for certain users or lower their access levels.

Ultimately, if you are concerned about this and fear that you could have holes in your network security, you should consider a full security assessment and audit of systems, which is something that activereach can assist you with.