Cisco Blogs

Cisco Blog > Security

Evolution of attacks on Cisco IOS devices

While “SYNful Knock” is the latest identified malware targeting Cisco devices running Cisco IOS, we have identified and investigated six other malware incidents during the last four years that target Cisco devices running Cisco IOS. The nature of threats is evolving and Cisco will continue to adapt technology delivering trustworthy solutions that our customers can rely on. This also means that customers will need to evolve, fully utilizing the security tools that are available, as well as ensuring security best practices are in place.

The malware used in these evolved Cisco IOS attacks show increasing levels of complexity in the type of modifications made to Cisco IOS, the behavior of its Command and Control (C&C) network (when present), and the platforms they target.

Before talking about specifics of each investigated malware incident, it is important to note that in all cases, no evidence has been found that attackers exploited a previously known or unknown vulnerability to install the malware. All available data points suggest either the use of compromised administrator credentials or physical access to the devices or images.

The following table and associated description provides a brief overview of the malware samples, as well as an overview of the actions that Cisco took in response to those findings. The source of this information is internal analysis performed by Cisco forensics teams.


Read More »

Tags: ,

Debuting the Autonomic Train at Cisco Live

SONY DSC Today at Cisco Live we started to show a train model that we use as a testing/validation vehicle for applicable train technologies.

At Cisco Live, the train includes our Cisco IE2000 industrial switches (IP67 and non IP67 versions), Cisco-819 M2M router, our target application hosting server-PC with VSMS and an even smaller application hosting server – a Raspberry PI.

Every car also hosts our ruggedized Cisco-IPVSC-6050 cameras and a demo version of a passenger information system (PIS) with both outside-train LCD and top-of-seat LCD panels. This is built on a Arduino/Linux prototype platform. Cameras and PIS-devices are PoE powered from our switches. Read More »

Tags: , , , , , ,

T-7: The Bundle Countdown Begins…

It’s that time of year again—the Cisco IOS Software Security Advisory Bundled Publication will go live in seven days. As a reminder, the Cisco Product Security Incident Response Team (PSIRT) releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of March and September each calendar year. As is the case with the vast majority of our advisories, vulnerabilities scheduled for disclosure in these upcoming Security Advisories will normally have a Common Vulnerability Scoring System (CVSS) Base Score from 7.0 to 10.0.

To ensure you’re prepared for the upcoming publication, consider:

  • Creating a text file of all the Cisco IOS Software releases in your network
  • Assembling a simple list of Cisco IOS Software technologies and features you use
  • Noting your username and password
  • Locating the username and password for your Cisco IOS routers and switches
  • Ensuring network operation partners are prepared for the security advisory release
  • Reviewing the benefits of OVAL and CVRF content

Read More »

Tags: , , , ,

Cisco’s onePK Part 2: Reaching out to a Network Element


In the previous installment of the onePK series, you received a crash course on Cisco’s onePK. In this article, you’ll take the next step with a fun little exposé on onePK’s C API. You will learn how to write a simple program to reach out and connect to a network element. This is staple onePK functionality and is the foundation upon which most onePK applications are built.

Preambling Details

The following short program “ophw” (onePK Hello World), is a fully functional onePK application that will connect to a network element, query its system description, and then disconnect. It doesn’t do anything beyond that, but it does highlight some lynchpin onePK code: network element connection and session handle instantiation. This is the foundational stuff every onePK application needs before useful work can get done. Read More »

Tags: , , , , , , , , , , ,

Extending Zeroconf Services: Cache Tuning


With the introduction of Cisco mDNS Service Discovery Gateway in IOS, customers that have implemented the solution are observing client behavior they haven’t seen prior to extending services across subnet boundaries. One of the effects is the duplicate name issue seen when devices with enabled services are moved from one L3 subnet to another L3 subnet and these two subnets happen to be connected to the same router/switch running the Service Discovery Gateway (SDG).


When devices (like a Mac OS X computer) offer a service such as Remote Login (SSH) or Screen Sharing (VNC), they will announce these services using mDNS/Bonjour/Zeroconf using their hostname as configured in ‘System Preferences -> Sharing -> Computer Name’ (see Fig. 1).
Read More »

Tags: , , , , , , , , , ,