North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IOS Rookit: the sky isn't falling (yet)

  • From: goemon
  • Date: Tue May 27 13:48:43 2008

On Tue, 27 May 2008, [email protected] wrote:
On Tue, 27 May 2008 11:24:19 MDT, Chris Grundemann said:
Like MD5 File Validation? - "MD5 values are now made available on for all Cisco IOS software images for comparison against
local system image values."
That does wonders for catching a corruption in the FTP that wasn't caught
by the relatively weak TCP checksumming.
But if the attacker has the wherewithal to cause a modified file to be
downloaded (either by replacing it on the real server, or getting you to
visit a fake server), they can also present you with a webpage that has an
MD5 hash that matches the modified file.
Now, if they provided a PGP signature of the file, done with a key that I
have reason to trust, *that* raises the bar significantly...

What you want is cisco hardware that verifies firmware signatures in hardware.