Note that an attacker with administrative access to a device, be it a Cisco device or one from any other vendor, can perform activities that may be dangerous or disruptive. It is therefore important that administrators protect credentials for privileged accounts (for example, privilege 15) with appropriate controls and by implementing credentials management policies. However, these technologies will not protect Cisco IOS Software from unauthorized access due to compromised credentials. Administrators should make sure their hardware and software supports these features to ensure protection of the integrity of the device. To install malware in Cisco IOS Software, attackers may try to use one of the methods described in this section.Ĭisco IOS Software implements several techniques, including the use of safe coding libraries, Address Space Layout Randomization (ASLR), digitally signed software, and Cisco Secure Boot to help protect against memory and code manipulation and provide assurances of authenticity. By a combination of some or all of the preceding methods.By modifying hardware components of a Cisco IOS device.By modifying the ROM monitor on systems with flash-based ROM monitor storage.By tampering with Cisco IOS memory during run time.This type of malware would be persistent and remain after a reboot. By altering the software image stored on the onboard device file system.Malicious software in Cisco IOS Software may be introduced in the following ways: ![]() ![]() On Cisco devices running Cisco IOS Software, a limited number of infection methods are available to malware. In general, malware can be installed by using various methods: by exploiting vulnerabilities on the system, or by manipulating an authorized user via social engineering attacks. Methods to identify possibly compromised infrastructure devices by using telemetry data are discussed in the Telemetry-Based Infrastructure Device Integrity Monitoring white paper. Potentially, sophisticated Cisco IOS malware could attempt to hide its presence by modifying Cisco IOS command output that would normally reveal information about the malware's presence.Īn additional property of a malware is the capability to be remotely programmable from Command and Control (C&C) server. Malware is usually designed to monitor and exfiltrate information from the operating system on which it is running without being detected. One of the characteristics of effective malware is that it can run on a device stealthily in privileged mode. Malware is software created to modify a device's behavior for the benefit of a malicious third party (attacker). In fact, by owning an infrastructure device such as a router, the attacker may gain a privileged position and be able to access data flows or crypto materials or perform additional attacks against the rest of the infrastructure. While these types of attacks still represent the majority of attacks on network devices, attackers are now looking for ways to subvert the normal behavior of infrastructure devices due to the devices' privileged position within the IT infrastructure. In the past, attackers were primarily targeting infrastructure devices to create a denial of service (DoS) situation. ![]() Note: This document applies only to Cisco IOS Software and to no other Cisco operating systems. Additionally, the document presents common best practices that can help protect against attempts to modify hardware or inject malicious software (also referred to as malware) in a Cisco IOS device. This document analyzes methods that may be used to compromise Cisco devices, including the injection of malicious software in Cisco IOS Software, and describes ways to verify that the software on a Cisco router, both in device storage and in running memory, has not been modified. Use Centralized and Comprehensive Logging Use TACACS+ Authorization to Restrict Commands Use Authentication, Authorization, and Accounting Leverage the Latest Cisco IOS Security Protection Features Verify MD5 Validation Feature for the Text RegionĬisco IOS Address Space Layout Randomization ConsiderationsĬhecking That Cisco IOS Software Call Stacks Are Within the Text Section BoundariesĬhecking Command History in the Cisco IOS Core Dump Verifying Authenticity for Digitally Signed ImagesĬisco IOS Run-Time Memory Integrity Verification Using the Message Digest 5 File Validation Feature
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |