Hackers Install Malicious ROMMON Images on CISCO Devices

Hackers Install Malicious ROMMON Images on CISCO Devices

CISCO Product Security Incident Response Team  or PSIRT monitors CISCO products for vulnerabilities and attacks and publishes reports about malicious activities.

Lately they have released information regarding increasingly complex attacks against platforms running Cisco IOS Software. According to Product Security Incident Response Team, after gaining administrative or physical access to CISCO IOS devices, cyber attackers were able to replace the ROMMON (ROM MONITOR) with  malicious images.

ROMMON is a bootstrap program, a mini operating system in the Cisco devices that helps to initialize the processor hardware and boot the operating system software. After installation of malicious ROMMON image device is rebooted and attack gains abilities to initiate any activity on a device.

Most dangerous part of this finding is that ROMMON will stay on CISCO device even after a reboot.

According to CISCO PSIRT:

No product vulnerability is leveraged in this attack, and the attacker requires valid administrative credentials or physical access to the system to be successful. The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks. No CVE ID will be assigned.

Vendor has also released an image about evolution of attacks against cisco devices, which you can observe below;

attacks on cisco rommon

Attacks on cisco rommon

Due to this discovery CISCO has updated following technical documentations in order to assist administrators:

Cisco recommends Cisco IOS device administrators to review these documents to understand the types of threats against Cisco IOS devices. Cisco also recommends users to ensure that operational procedures include methods for preventing and detecting compromise.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.