Are there any malware that target Cisco switches? I recently got one from a friend whose company threw them out after a ransomware attack, and are wondering if there is anything to be concerned about.
Edit: model number is SG200-50.
Asked
Active
Viewed 1,531 times
-1
-
Your question is too broad. There are CISCO professional switches like the Catalyst series and home series which are easy to compromise. – Overmind Sep 25 '19 at 07:27
-
How is it too broad? And what do you mean by compromise? The specific model is SG200-50. – Chris Sep 25 '19 at 11:29
2 Answers
2
Not malware per se, but security vulnerabilities for sure.
https://www.cvedetails.com/product/19/Cisco-IOS.html?vendor_id=16
joeqwerty
- 109,901
- 6
- 81
- 172
-
-
Thanks, I’m a developer and don’t know enough about the hardware side. I will work through the list and see what needs to be done to secure it. Obviously more concerned about a ransomware somehow having infected it, but definitely will plug those vulnerabilities. – Chris Sep 25 '19 at 00:55
-
1Do yourself a favor and search by Cisco product. Find your product, look at the details of the vulnerabilities and see which ones are applicable to your equipment. - https://www.cvedetails.com/product-list/vendor_id-16/Cisco.html – joeqwerty Sep 25 '19 at 00:59
-
-
Sorry to bug you, after reading this (https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices) I installed the latest boot and firmware on the device (SG200-50), and that model shows up in only one case (https://www.cvedetails.com/vulnerability-list/vendor_id-16/product_id-57238/year-2019/Cisco-Sg200-50-Firmware.html). Is there anything else I can check? – Chris Sep 27 '19 at 16:52
-
You could scan the device with a vulnerability scanner and see if it detects anything. – joeqwerty Sep 27 '19 at 16:56
-
0
Security research has demonstrated Cisco device malware for years.
Killing the Myth of Cisco IOS Diversity
As our experimental results show, the techniques proposed in this paper can reliably inject command and control capabilities into arbitrary IOS images in a version-agnostic manner. We believe that the technique presented in this paper overcomes an important hurdle in the large-scale, reliable rootkit execution within Cisco IOS.
The hardware module recently added to try and add verification can also be defeated by a clever enough attacker.
Defeating Cisco Trust Anchor
The TAm exploit described in this paper allows the attacker to fully bypass all Trust Anchor functionality, including hardware-assisted secure boot, and to stealthily inject persistent malicious implants within both the TAm FPGA and the application processor.
But a specific vendor's security or lack thereof is not the point. Any computer system can be compromised. Software that doesn't verify or isn't hardened, hardware that may be even worse, and vendors that do not put in the effort into security.
This then becomes an exercise in risk management. Are you confident you have patched all known security flaws, and that the software updates are authentic? Are you confident the hardware didn't fall off the back of a truck and get persistent malware installed in the hardware?
Tolerance of these risks varies in different environments, say a test lab versus an organization with nation state enemies.
John Mahowald
- 32,050
- 2
- 19
- 34
-
Yes, 100% sure of both the origins and trustworthiness of the equipment and source. The company had a major ransomware incident and their head office enforced a policy of throwing out all their existing servers and network infrastructure. As a result they had a few switches to scrap, and he passed one on to me. I’m just trying to verify if their head office knows something I don’t. It’s an SG200-50 if it matters. – Chris Sep 26 '19 at 10:50