{
	"id": "c9ac177a-0816-4f37-87b1-141b3fa7df0f",
	"created_at": "2026-04-06T02:12:05.35193Z",
	"updated_at": "2026-04-10T13:12:59.466732Z",
	"deleted_at": null,
	"sha1_hash": "a6fb7e4221fe059883fbe275616374202b882c3c",
	"title": "Cisco IOS Software Integrity Assurance",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 472520,
	"plain_text": "Cisco IOS Software Integrity Assurance\r\nArchived: 2026-04-06 02:10:03 UTC\r\nContents\r\nIntroduction\r\nPotential Attack Methods\r\n      Commands\r\n      Manipulating Cisco IOS Images\r\n      Vulnerabilities\r\nIdentification Techniques\r\n      Cisco IOS Image File Verification\r\n         Using the Message Digest 5 File Validation Feature\r\n         Using the Image Verification Feature\r\n         Using Offline Image File Hashes\r\n         Using Information from Cisco.com\r\n         Verifying Authenticity for Digitally Signed Images\r\n      Cisco IOS Run-Time Memory Integrity Verification\r\n         Core Dump\r\n         Text Memory Section Export\r\n         Verify MD5 Validation Feature for the Text Region\r\n         Cisco IOS Address Space Layout Randomization Considerations\r\n      Additional Indicators of Compromise\r\n         Unusual and Suspicious Commands\r\n         Checking That Cisco IOS Software Call Stacks Are Within the Text Section Boundaries\r\n         Checking Command History in the Cisco IOS Core Dump\r\n         Checking the Command History\r\n         Checking External Accounting Logs\r\n         Checking External Syslog Logs\r\n         Checking Booting Information\r\n         Checking the ROM Monitor Variable\r\n         Checking the ROM Monitor Information\r\nSecurity Best Practices\r\n      Maintain Cisco IOS Image File Integrity\r\n      Implement Change Control\r\n      Harden the Software Distribution Server\r\n      Keep Cisco IOS Software Updated\r\n      Deploy Digitally Signed Cisco IOS Images\r\n      Cisco Secure Boot\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 1 of 33\n\nCisco Value Chain Security\r\n      Leverage the Latest Cisco IOS Security Protection Features\r\n      Use Authentication, Authorization, and Accounting\r\n      Use TACACS+ Authorization to Restrict Commands\r\n      Implement Credentials Management\r\n      Implement Configuration Controls\r\n      Protect Interactive Access to Devices\r\n      Gain Traffic Visibility with NetFlow\r\n      Use Centralized and Comprehensive Logging\r\nConclusion\r\nAcknowledgments\r\nReferences\r\nIntroduction\r\nThis document analyzes methods that may be used to compromise Cisco devices, including the injection of\r\nmalicious software in Cisco IOS Software, and describes ways to verify that the software on a Cisco router, both\r\nin device storage and in running memory, has not been modified. Additionally, the document presents common\r\nbest practices that can help protect against attempts to modify hardware or inject malicious software (also referred\r\nto as malware) in a Cisco IOS device.\r\nNote: This document applies only to Cisco IOS Software and to no other Cisco operating systems.\r\nIn the past, attackers were primarily targeting infrastructure devices to create a denial of service (DoS) situation.\r\nWhile these types of attacks still represent the majority of attacks on network devices, attackers are now looking\r\nfor ways to subvert the normal behavior of infrastructure devices due to the devices' privileged position within the\r\nIT infrastructure.\r\nIn fact, by owning an infrastructure device such as a router, the attacker may gain a privileged position and be able\r\nto access data flows or crypto materials or perform additional attacks against the rest of the infrastructure.\r\nMalware is software created to modify a device's behavior for the benefit of a malicious third party (attacker). One\r\nof the characteristics of effective malware is that it can run on a device stealthily in privileged mode. Malware is\r\nusually designed to monitor and exfiltrate information from the operating system on which it is running without\r\nbeing detected. Potentially, sophisticated Cisco IOS malware could attempt to hide its presence by modifying\r\nCisco IOS command output that would normally reveal information about the malware's presence.\r\nAn additional property of a malware is the capability to be remotely programmable from Command and Control\r\n(C\u0026C) server. Methods to identify possibly compromised infrastructure devices by using telemetry data are\r\ndiscussed in the Telemetry-Based Infrastructure Device Integrity Monitoring white paper.\r\nIn general, malware can be installed by using various methods: by exploiting vulnerabilities on the system, or by\r\nmanipulating an authorized user via social engineering attacks.\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 2 of 33\n\nOn Cisco devices running Cisco IOS Software, a limited number of infection methods are available to malware.\r\nMalicious software in Cisco IOS Software may be introduced in the following ways:\r\nBy altering the software image stored on the onboard device file system. This type of malware would be\r\npersistent and remain after a reboot.\r\nBy tampering with Cisco IOS memory during run time.\r\nBy modifying the ROM monitor on systems with flash-based ROM monitor storage.\r\nBy exploiting a vulnerability.\r\nBy modifying hardware components of a Cisco IOS device.\r\nBy a combination of some or all of the preceding methods.\r\nPotential Attack Methods\r\nTo install malware in Cisco IOS Software, attackers may try to use one of the methods described in this section.\r\nCisco IOS Software implements several techniques, including the use of safe coding libraries, Address Space\r\nLayout Randomization (ASLR), digitally signed software, and Cisco Secure Boot to help protect against memory\r\nand code manipulation and provide assurances of authenticity. Administrators should make sure their hardware\r\nand software supports these features to ensure protection of the integrity of the device.\r\nHowever, these technologies will not protect Cisco IOS Software from unauthorized access due to compromised\r\ncredentials. It is therefore important that administrators protect credentials for privileged accounts (for example,\r\nprivilege 15) with appropriate controls and by implementing credentials management policies.\r\nNote that an attacker with administrative access to a device, be it a Cisco device or one from any other vendor, can\r\nperform activities that may be dangerous or disruptive. Given the state of the current Cisco IOS integrity\r\nprotection technology, attacks will often exploit inadequacies in secure configuration and network design likely by\r\ntrying to obtain administrative access.\r\nCommands\r\nSome Cisco IOS devices offer sets of commands that are intended to be used by Cisco Technical Assistance\r\nCenter (TAC) engineers when troubleshooting a technical problem. Such advanced troubleshooting and diagnostic\r\ncommands require privileged EXEC level and valid credentials to execute. If these device credentials are\r\ncompromised, an attacker may be able to use the commands to inject code in memory during run time and modify\r\nthe behavior of a Cisco IOS device.\r\nIt is important to note that not all Cisco IOS platforms offer advanced diagnostic commands. Of the platforms that\r\ndo, only a very limited set of such commands is usually available. Following common authentication and\r\ncommand authorization security best practices and protecting administrator credentials will help prevent attackers\r\nfrom attempting to install malicious software in Cisco IOS Software. Such best practices are discussed in\r\nthe Security Best Practices section of this document.\r\nManipulating Cisco IOS Images\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 3 of 33\n\nIt is possible that an attacker could insert malicious code into a Cisco IOS Software image and load it onto a Cisco\r\ndevice that supports the image. This attack scenario applies to any computing device that loads its operating\r\nsystem from an external, writable device. Even though such a scenario is not impossible, there are image\r\nverification techniques, discussed in the Cisco IOS Image File Verification section of this document that could\r\nprevent the router from loading such an image.\r\nAdditionally, Cisco IOS offers some additional protection for Cisco IOS device and software releases that\r\nsupport digitally signed Cisco IOS Software and Cisco Secure Boot technology. In all cases, such types of attack\r\nwould require privileged access to the target device.\r\nVulnerabilities\r\nAs with every operating system, it is possible that a vulnerability could exist in Cisco IOS Software that, under\r\ncertain conditions, could allow malicious code execution. In such a scenario, an attacker who exploited the\r\nvulnerability could install or run malicious code in Cisco IOS Software. The Cisco Product Security Incident\r\nResponse Team (PSIRT) identifies, manages, and discloses all vulnerabilities in and fixes for Cisco products. Any\r\nvulnerability that Cisco is made aware of is investigated and disclosed in accordance with the Cisco vulnerability\r\ndisclosure policy.\r\nThe table below summarizes the possible attack methods, the privileges required to perform the attack, and the\r\nrecommended best practices that, if followed, would greatly reduce the chance of a successful attack.\r\nPossible Attack Methods\r\nAttack Vector Privileges Required Recommended Best Practices\r\nCode injection in run time via IOS\r\ncommands\r\nAdministrative\r\nprivileges\r\nUse Authentication, Authorization, and\r\nAccounting\r\nUse TACACS+ Authorization to\r\nRestrict Commands\r\nImplement Credentials Management\r\nImplement Configuration Controls\r\nModified Binary Image Administrative\r\nprivileges\r\nUse Cisco Secure Boot\r\nDeploy Digitally Signed Cisco IOS\r\nImages\r\nMaintain Cisco IOS Image File\r\nIntegrity\r\nImplement Change Control\r\nHarden the Software Distribution\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 4 of 33\n\nServer\r\nImplement Credentials Management\r\nProtect Interactive Access to Devices\r\nModified ROMMON Image\r\nAdministrative\r\nprivileges\r\nUse Cisco Secure Boot\r\nDeploy Digitally Signed Cisco IOS\r\nImages\r\nImplement Change Control\r\nHarden the Software Distribution\r\nServer\r\nImplement Credentials Management\r\nProtect Interactive Access to Devices\r\nHardware Modification\r\nPhysical access to the\r\ndevice\r\nCisco Value Chain Security\r\nVulnerabilities that could cause\r\nwriting in memory\r\nDepends on the\r\nvulnerability\r\nKeep Cisco IOS Software Updated\r\nIdentification Techniques\r\nThis section describes methods that can identify the modification of Cisco IOS image files and run-time memory.\r\nThe absence of indicators of compromise using these methods may not guarantee that the Cisco IOS device is free\r\nfrom compromise. Readers should note that when facing potential exploitation, the chain of custody becomes\r\nimportant. Administrators need to be aware of chain of custody through all forensic activities, including those\r\npresented below, because an exploit could alter specific forensic outputs that would further affect the forensic\r\nanalysis.\r\nNote: The examples in this document, unless otherwise noted, are taken from a Cisco 7600 Series device using\r\nRoute Switch Processor 720 and running Cisco IOS 15.1(3)S3 advanced IP services. The output on your device\r\nmay differ based on device model, operating system release, and feature set. In addition, the commands in this\r\ndocument may use a different syntax, or they may not be present at all. The Cisco recommendation is to follow up\r\nwith your support organization if you need details about implementing these recommendations for a specific\r\ncombination of device model, Cisco IOS release, and feature set.\r\nCisco IOS Image File Verification\r\nNetwork administrators can use one of several security features to verify the authenticity and integrity of Cisco\r\nIOS Software images in use on their network devices. It is also possible to use a process that does not rely on\r\nfeatures in Cisco IOS Software.\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 5 of 33\n\nThe following sections contain information about Cisco IOS Software features and administrative processes that\r\ncan be used to verify the authenticity and integrity of a Cisco IOS Software image.\r\nUsing the Message Digest 5 File Validation Feature\r\nThe Message Digest 5 (MD5) File Validation feature allows network administrators to calculate the MD5 hash of\r\na Cisco IOS Software image file that is loaded on a device. It also allows administrators to verify the calculated\r\nMD5 hash against that provided by the user. After the MD5 hash value of the installed Cisco IOS image is\r\ndetermined, it can also be compared with the MD5 hash provided by Cisco to verify the integrity of the image file.\r\nNote: The MD5 File Validation feature can be used only to check the integrity of a Cisco IOS Software image that\r\nis stored on a Cisco IOS device. It cannot be used to check the integrity of an image running in memory.\r\nMD5 hash calculation and verification using the MD5 File Validation feature can be accomplished using the\r\nfollowing command:\r\nverify /md5 filesystem:filename [md5-hash]\r\nNetwork administrators can use the verify /md5 privileged EXEC command to verify the integrity of image files\r\nthat are stored on the Cisco IOS file system of a device. The following example shows how to use the verify\r\n/md5 command on a Cisco IOS device:\r\nrouter#verify /md5 sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3\r\n.....\u003coutput truncated\u003e.....Done!\r\nverify /md5 (sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3) = e383bf779e1373678395\r\nrouter#\r\nNetwork administrators can also provide an MD5 hash to the verify command. If the hash is provided,\r\nthe verify command will compare the calculated and provided MD5 hashes as illustrated in the following\r\nexample:\r\nrouter#verify /md5 sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3 e383bf779e137367\r\n.....\u003coutput truncated\u003e.....Done!\r\nVerified (sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3) = e383bf779e137367839593e\r\nrouter#\r\nIf the network administrator provides an MD5 hash that does not match the hash calculated by the MD5 File\r\nValidation feature, an error message will be displayed. This message is shown in the following example:\r\nrouter# verify /md5 sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3 0c5be63c4e339707\r\n.....\u003coutput truncated\u003e.....Done!\r\n%Error verifying sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3\r\nComputed signature = e383bf779e137367839593efa8f0f725\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 6 of 33\n\nSubmitted signature = 0c5be63c4e339707efb7881fde7d5324\r\nrouter#\r\nIn the preceding examples, the verify /md5 command calculates and displays the MD5 hash for the entire Cisco\r\nIOS image file. This approach is in contrast to the updated verify command in the Image Verification feature,\r\nwhich calculates the hash for the entire Cisco IOS image as well as specific portions of the uncompressed Cisco\r\nIOS image file.\r\nThe verify privileged EXEC command was originally introduced for the MD5 File Validation feature and updated\r\nby the Image Verification feature to verify the integrity of image files that are stored locally on a device. It can be\r\nused to obtain information about the image hashes. The following example demonstrates how to use the\r\nupdated verify command on a Cisco IOS device:\r\nrouter#verify sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3\r\nVerifying file integrity of sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3\r\n.....\u003coutput truncated\u003e.....Done!\r\nEmbedded Hash MD5 : FCEBD3E1AF32221091E920D5960CAE45\r\nComputed Hash MD5 : FCEBD3E1AF32221091E920D5960CAE45\r\nCCO Hash MD5 : E383BF779E137367839593EFA8F0F725\r\nSignature Verified\r\nrouter#\r\nIn the preceding output, three MD5 hash values are displayed by the verify command. The following is an\r\nexplanation of each MD5 hash value:\r\nEmbedded Hash: MD5 hash stored by Cisco in a section of the Cisco IOS image file during the image\r\nbuild process; used to verify section integrity for the Cisco IOS Software image file. This MD5 hash value\r\nis calculated for certain sections of the Cisco IOS image file.\r\nComputed Hash: MD5 hash that the Image Verification feature calculates for certain sections of the Cisco\r\nIOS Software image file when the verify command is executed. This value should be the same as the\r\nEmbedded Hash to verify section integrity of the Cisco IOS image file. If this value is not equal to the\r\nEmbedded Hash, the Cisco IOS image file may be corrupted or intentionally altered.\r\nCCO Hash: MD5 hash for the entire Cisco IOS image file. This hash is computed by the verify command\r\nand is not stored in the Cisco IOS Software image. This value should match the value provided in\r\nthe Support and Downloads area of the Cisco.com website for this image.\r\nFor additional information, see the Image Verification section of Cisco IOS User Security Configuration Guide.\r\nUsing the Image Verification Feature\r\nThe Image Verification feature builds on the MD5 File Validation functionality to allow network administrators to\r\nmore easily verify the integrity of an image file that is loaded on the Cisco IOS file system of a device. The\r\npurpose of the Image Verification feature is to ensure that corruption of the Cisco IOS Software image file has not\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 7 of 33\n\noccurred. The corruption detected by this feature could have occurred at any time, such as during the download\r\nfrom Cisco.com or the installation process.\r\nNote: The Image Verification feature does not check the integrity of the image running in memory.\r\nCisco IOS Software image file verification using this feature can be accomplished using the following commands:\r\nfile verify auto\r\ncopy [/erase] [/verify | /noverify] source-url destination-url\r\nreload [warm] [/verify | /noverify] [text | in time [text] | at time [text] | cancel\r\nNetwork administrators can use the file verify auto global configuration command to enable verification of all\r\nimages that are either copied using the copy privileged EXEC command or loaded using the reload privileged\r\nEXEC command. These images are automatically verified for image file integrity.\r\nThe following example shows how to configure the file verify auto Cisco IOS feature:\r\nrouter#configure terminal\r\nrouter(config)#file verify auto\r\nrouter(config)#exit\r\nrouter#\r\nIn addition to file verify auto, both the copy and reload commands have a /verify argument that enables the\r\nImage Verification feature to check the integrity of the Cisco IOS image file. This argument must be used each\r\ntime an image is copied to or reloaded on a Cisco IOS device if the global configuration command file verify\r\nauto is not present.\r\nFor information about the copy /verify and reload /verify commands, see the Image Verification section of Cisco\r\nIOS User Security Configuration Guide.\r\nUsing Offline Image File Hashes\r\nFor a file stored on an administrative workstation, a network administrator can verify the MD5 or SHA-512 hash\r\nfor that Cisco IOS image file using an MD5 or SHA-512 hashing utility. Examples of such utilities are md5sum or\r\nsha512sum. Additionally, the size of the Cisco IOS image file can be obtained using the ls command on Linux and\r\nBSD operating systems and the dir command on Microsoft Windows platforms.\r\nThe following example demonstrates the MD5 calculation and file size display for Linux-based systems:\r\n$\r\n$ md5sum 7600rsp72043-advipservicesk9-mz.151-3.S3.bin e383bf779e137367839593efa8f0f725\r\n 7600rsp72043-advipservicesk9-mz.151-3.S3.bin\r\n$\r\n$ ls -l\r\n 7600rsp72043-advipservicesk9-mz.151-3.S3.bin -r--r--r-- 1 user user 167167524 May 16 15:\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 8 of 33\n\n7600rsp72043-advipservicesk9-mz.151-3.S3.bin\r\n$\r\nThe following example shows the use of the fsum utility on a Windows system:\r\nC:\\\u003efsum -md5 7600rsp72043-advipservicesk9-mz.151-3.S3.bin\r\nSlavaSoft Optimizing Checksum Utility - fsum 2.52.00337\r\nImplemented using SlavaSoft QuickHash Library lt;www.slavasoft.com\u003e\r\nCopyright (C) SlavaSoft Inc. 1999-2007. All rights reserved.\r\n; SlavaSoft Optimizing Checksum Utility - fsum 2.52.00337 \u003cwww.slavasoft.com\u003e\r\n;\r\n; Generated on 05/20/08 at 00:01:13\r\n;\r\ne383bf779e137367839593efa8f0f725 *7600rsp72043-advipservicesk9-mz.151-3.S3.bin\r\nNote: The use of the fsum utility is for illustrative purposes only and should not be interpreted as an endorsement\r\nof the tool.\r\nUsing Information from Cisco.com\r\nWhen the hash and file size for a Cisco IOS Software image have been collected, network administrators can\r\nverify authenticity of the image using information provided in the Support and Downloads area on the Cisco.com\r\nwebsite. This provides details about each publicly available IOS image and may require a valid Cisco.com\r\naccount.\r\nNetwork administrators must identify their Cisco IOS Software release (this can be done by using information\r\nobtained from output provided by the show version command) and navigate through the Downloads area to locate\r\nthe image in use on the Cisco IOS device. Network administrators should verify that one of the following hashes\r\nmatches the MD5 hash that is provided on Cisco.com:\r\nCCO hash calculated by the Cisco IOS verify command (part of the Cisco IOS Image Verification feature)\r\nMD5 hash calculated by the verify /md5 command (part of the MD5 File Validation Cisco IOS feature)\r\nMD5 or SHA-512 hash calculated by a third-party utility\r\nIf the MD5 or SHA-512 hash value for the whole Cisco IOS image file does not match the value provided by\r\nCisco, network administrators should download the Cisco IOS image file from the Cisco IOS Upgrade Planner\r\nand use the file verification methods described in this document to verify integrity of the Cisco IOS image file.\r\nAs of June 1, 2015, Cisco is providing the SHA-512 hash value for all Cisco IOS Software releases that are\r\npublished on Cisco.com. Administrators can compare the SHA-512 value published on Cisco.com and the SHA-512 value calculated by a third-party utility to verify the integrity of a Cisco IOS image.\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 9 of 33\n\nThe following is an example of the information provided on Cisco.com during one of the steps required for\r\ndownloading Cisco IOS Software Release 15.14M7 for a Cisco 1841 Integrated Services Router:\r\nFigure 1. Download Software\r\nVerifying Authenticity for Digitally Signed Images\r\nCisco IOS supports digitally signed images on some platforms. Digitally signed Cisco software is digitally signed\r\nusing secure asymmetric (public-key) cryptography.\r\nDigitally signed Cisco software increases the security posture of Cisco IOS devices by ensuring that the software\r\nrunning in the system has not been altered and originates from a trusted source.\r\nAdministrators can verify the authenticity and integrity of the binary file by using the show software authenticity\r\nfile command. In the following example, taken from a Cisco 1900 Series Router, the command is used to verify\r\nthe authenticity of c1900-universalk9-mz.SPA.152-4.M2.bin on the system:\r\nRouter#show software authenticity file c1900-universalk9-mz.SPA.152-4.M2\r\nFile Name : c1900-universalk9-mz.SPA.152-4.M2\r\nImage type : Production\r\n Signer Information\r\n Common Name : CiscoSystems\r\n Organization Unit : C1900\r\n Organization Name : CiscoSystems\r\n Certificate Serial Number : 509AC949\r\n Hash Algorithm : SHA512\r\n Signature Algorithm : 2048-bit RSA\r\n Key Version : A\r\nIn addition, administrators can use the show software authenticity running command to verify the authenticity\r\nof the image that is currently booted and in use on the device. Administrators should verify that the Certificate\r\nSerial Number value matches the value obtained by using the show software authenticity file on the binary file.\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 10 of 33\n\nThe following example shows the output of show software authenticity running on a Cisco 1900 Series Router\r\nrunning the c1900-universalk9-mz.SPA.152-4.M2 image.\r\nRouter#show software authenticity running\r\n \r\nSYSTEM IMAGE\r\n------------\r\nImage type : Production\r\n Signer Information\r\n Common Name : CiscoSystems\r\n Organization Unit : C1900\r\n Organization Name : CiscoSystems\r\n Certificate Serial Number : 509AC949\r\n Hash Algorithm : SHA512\r\n Signature Algorithm : 2048-bit RSA\r\n Key Version : A\r\n Verifier Information\r\n Verifier Name : ROMMON 1\r\n Verifier Version : System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1\r\nTechnical Support: http://www.cisco.com/techsupport\r\nThis example also shows that the Certificate Serial Number value, 509AC949, matches the one obtained with the\r\nprevious example.\r\nAdditional information is in Digitally Signed Cisco Software.\r\nCisco IOS Run-Time Memory Integrity Verification\r\nNetwork administrators can also verify the integrity of the run-time memory of Cisco IOS. This is not a trivial task\r\nand there is not currently a solution that would allow the network administrator to analyze all parts of memory\r\nmanually. However, the best way to verify the integrity of run-time memory for Cisco IOS Software is to analyze\r\nthe region of memory called “main:text.”\r\nThe main:text section contains the actual executable code for Cisco IOS Software after it is loaded in memory. As\r\nsuch, verifying its integrity is particularly relevant for detecting in-memory tampering. This region of memory\r\nshould not change during normal Cisco IOS Software operation, and should be the same across reloads.\r\nBecause this region of memory holds the actual operating system code, it should not change between devices as\r\nlong as they are the same model and running the same release number and feature set. However, if the Cisco IOS\r\nrelease in use is ASLR enabled, these assumptions become invalid. A side effect of ASLR is changing some parts\r\nof the operating system code. This means the memory contents will be different across devices, even if they are\r\nrunning the same operating system release and feature set. See the Cisco IOS Address Space Layout\r\nRandomization Considerations section of this document for additional information.\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 11 of 33\n\nNote: The absence of indicators of compromise using the methods presented in this section may not guarantee that\r\nthe Cisco IOS device was not compromised.\r\nCore Dump\r\nCisco IOS devices support exporting the contents of the running memory. After the export, comparisons between\r\nthe running memory dump, also called core dump, and the associated sections in the Cisco IOS image file can be\r\nperformed to detect modification of the run-time memory contents.\r\nThe first step is to create a dump of the run-time memory. Most Cisco IOS releases support a memory dump via\r\nthe write core command. Further information about core dumps on Cisco IOS devices can be found in\r\nthe Creating Core Dumps support document.\r\nThe core dump can be written to an external server via several protocols, including FTP and Remote Copy\r\nProtocol (RCP). The following example shows how to configure the Cisco IOS device to write the core dump to\r\nan external server via FTP:\r\nexception core-file \u003cname\u003e compress\r\nexception protocol ftp\r\nexception region-size 65536\r\nexception dump \u003cip address of the ftp server\u003e\r\nip ftp username \u003cuser\u003e\r\nip ftp password \u003cpass\u003e\r\nThe core dump process will usually write several files. The file that contains the text region is the one in the\r\nformat \u003ccore_filename\u003e _\u003ctimestamp\u003e.\r\nNote: The name of the core dump file generated by Cisco IOS Software may differ depending on the specific\r\nCisco IOS device, Cisco IOS release, and feature set in use.\r\nTo determine the boundary of the text region in the core dump file, use the show region command. The following\r\nexample is from a Cisco 7600 Series device using Supervisor Engine 720 and running Cisco IOS 12.2(33)SRD4\r\nadvanced IP services. It shows that the main:text area starts with an offset of 0x1012B8 (this can be calculated by\r\nsubtracting the start of main from the start of main:text, that is, 0x401012B8 - 0x40000000) and has a size of\r\n67464520 bytes:\r\nrouter#show region\r\nRegion Manager:\r\n \r\n Start End Size(b) Class Media Name\r\n0x08000000 0x0BFFFFFF 67108864 Iomem R/W iomem\r\n0x40000000 0x4BFFFFFF 201326592 Local R/W main\r\n0x401012B8 0x44157FFF 67464520 IText R/O main:text\r\n0x4415A1D0 0x4475D44F 6304384 IData R/W main:data\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 12 of 33\n\n0x4475D450 0x463B8BAF 29734752 IBss R/W main:bss\r\n0x463B8BB0 0x4BFFFFFF 96760912 Local R/W main:heap\r\n0x50000000 0x5FFF7FFF 268402688 Local R/W more_heap\r\n0x80000000 0x8BFFFFFF 201326592 Local R/W main:(main_k0)\r\n0xA0000000 0xABFFFFFF 201326592 Local R/W main:(main_k1)\r\nAfter the boundaries are determined, extract the text region from the core dump.\r\nThere are several tools available for extracting the text region. The Linux utility dd is used in this example. To\r\navoid a block error, set the block size (bs) to 1. Additionally, because the text region starts with an offset of\r\n0x1012B8, provide this information to dd after converting the offset in decimal equivalent: 1053368. dd also\r\nneeds the size of the region: 67464520.\r\nNote that if the compress option is used, the file needs to be uncompressed before using it with dd.\r\ndd if=\u003ccorefile\u003e bs=1 count=67464520 skip=1053368 of=router_main_text\r\nThe file router_main_text will include the text region.\r\nAfter the text region is isolated, compute the checksum of the file. In this example, the Linux\r\nutility md5sum calculates the MD5 checksum of the file:\r\nmd5sum router_main_text\r\n1edd0985da7f1a490729fd0aaf9c0bd7 router_main_text\r\nThis value should be compared to the MD5 hash value obtained by a hashing a main:text section taken from a\r\nrouter that it is known not to be compromised, also referred as known-good text region. The following section\r\nproposes a procedure to create a known-good text region.\r\nThis method implies trust in the memory-dumping process, which may be compromised.\r\nCreating a Known-Good Text Region\r\nA known-good text region is a file that contains the main:text that it is known not to be compromised and that can\r\nbe used as a reference point during the forensic operation. This section proposes the procedure that can be used to\r\ncreate a known-good text region.\r\n1. Download the Cisco IOS image from the Cisco Support and Downloads website and note the MD5 value\r\nof the binary.\r\n2. Use the method described in the Using Offline Image File Hashes section of this document to verify that\r\nthe MD5 hash of the image downloaded matches the one on the Cisco Support and Downloads website. We\r\nwill call this the \"known-good image.\"\r\n3. Load the known-good image on a Cisco IOS device.\r\n4. Reload the device.\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 13 of 33\n\n5. After reload, use the method described in the Using the Message Digest 5 File Validation Feature section of\r\nthis document to verify the integrity of the image that has been booted. We will call this \"known-good\r\ndevice.\" The main:text memory region of this device will be called the known-good text region.\r\n6. Use the method described in Verify MD5 Validation Feature for the Text Region to calculate the MD5 hash\r\nvalue of the main:text region. This is what we call the \"MD5 hash of a known-good text region.\"\r\nOne alternative to Steps 5 and 6 would be to generate a core dump from the known-good device and then extract\r\nthe known-good text region and calculate the MD5 hash using the method described in the Core Dump section of\r\nthis document.\r\nText Memory Section Export\r\nAn alternative to collecting the core dump is exporting the text section using the copy command.\r\nCaution: Due to a bug in Cisco IOS Software, this method may cause a crash and a reload on the following\r\nplatforms. Therefore this method should not be used for these platforms:\r\nCisco Catalyst 6880-X Switch\r\nCisco 3900E Series Integrated Services Routers\r\nCisco 1000 Series Connected Grid Routers\r\nDepending on the Cisco IOS release, the copy command can copy files stored in the Cisco IOS file system to an\r\nexternal server via several protocols, including FTP and Secure Copy Protocol (SCP). The following example\r\nshows how to copy the text memory section via FTP.\r\nConfigure the FTP username and password if it has not been done already:\r\nip ftp username \u003cuser\u003e\r\nip ftp password \u003cpass\u003e\r\nUse the dir command to locate the text region. This is usually in the system:/memory directory. The following\r\nexample shows the output of dir system:/memory taken from a Cisco 7600 Series device using Supervisor\r\nEngine 720 and running Cisco IOS 12.2(33)SRD4 advanced IP services:\r\nrouter# dir system:/memory\r\nDirectory of system:/memory/\r\n \r\n 8 -r-- 29734752 \u003cno date\u003e bss\r\n 7 -r-- 6304384 \u003cno date\u003e data\r\n 9 -r-- 96752816 \u003cno date\u003e heap\r\n 4 -r-- 67108864 \u003cno date\u003e iomem\r\n 5 -r-- 201326592 \u003cno date\u003e main\r\n 11 -r-- 201326592 \u003cno date\u003e main_k0\r\n 12 -r-- 201326592 \u003cno date\u003e main_k1\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 14 of 33\n\n10 -r-- 268402688 \u003cno date\u003e more_heap\r\n 6 -r-- 67464520 \u003cno date\u003e text\r\nExport the text region by using the copy command:\r\n router# copy system:memory/text ftp:\r\n Address or name of remote host []? \u003cFTP server ip address\u003e\r\n Destination filename [text]? router_main_text\r\n Writing router_main_text !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\r\n \u003coutput suppressed\u003e\r\nAfter the file has been exported, use the procedure described in the Core Dump section to verify the integrity of\r\nmain text area.\r\nThis method implies trust in the copy process, which may itself be compromised.\r\nVerify MD5 Validation Feature for the Text Region\r\nNetwork administrators can use the verify /md5 command to compute the MD5 checksum of the text region\r\nwithout creating a memory dump. The text region is usually located in the system:/memory directory.\r\nCaution: Due to a bug in the Cisco IOS Software code, this method may cause a crash and a reload on the\r\nfollowing platforms. Therefore this method should not be used for these platforms:\r\nCisco Catalyst 6880-X Switch\r\nCisco 3900E Series Integrated Services Routers\r\nCisco 1000 Series Connected Grid Routers\r\nUse the dir command to locate the text region. This is in system:/memory. The following example shows the\r\noutput of dir system:/memory taken from a Cisco 7600 Series device using Supervisor Engine 720 and running\r\nCisco IOS 12.2(33)SRD4 advanced IP services:\r\nrouter# dir system:/memory\r\n \r\nDirectory of system:/memory/\r\n 8 -r-- 29734752 \u003cno date\u003e bss\r\n 7 -r-- 6304384 \u003cno date\u003e data\r\n 9 -r-- 96752816 \u003cno date\u003e heap\r\n 4 -r-- 67108864 \u003cno date\u003e iomem\r\n 5 -r-- 201326592 \u003cno date\u003e main\r\n 11 -r-- 201326592 \u003cno date\u003e main_k0\r\n 12 -r-- 201326592 \u003cno date\u003e main_k1\r\n 10 -r-- 268402688 \u003cno date\u003e more_heap\r\n 6 -r-- 67464520 \u003cno date\u003e text\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 15 of 33\n\nUse the verify /md5 command to calculate the MD5 checksum of the text region:\r\nrouter# verify /md5 system:memory/text\r\n .......................................................................\r\n [...]\r\n .....................................Done!\r\n verify /md5 (system:memory/text) = 1edd0985da7f1a490729fd0aaf9c0bd7\r\nThis value should be compared to the MD5 hash value obtained by hashing a main:text section taken from a router\r\nthat it is known not to be compromised, also referred as the known-good text region. See the Creating a Known-Good Text Region section of this document.\r\nThis method implies trust in the onboard verify /md5 command, which may itself be compromised.\r\nCisco IOS Address Space Layout Randomization Considerations\r\nTo help harden the security posture of Cisco IOS, some products run a Cisco IOS image with Address Space\r\nLayout Randomization (ASLR).\r\nWhen ASLR is active, the procedures described above may not be valid because ASLR dynamically changes the\r\nmemory space where the text and/or other memory regions are loaded at boot time. In some situations, this also\r\nmeans that the instructions in the text region are changed after each reload so the text region does not stay the\r\nsame across reloads or across different devices.\r\nTo determine whether ASLR is active, network administrators can compare the output of the show\r\nregion command between two Cisco IOS devices running the same image and feature set. If the regions have the\r\nsame starting and ending addresses, that image does not use ASLR on that platform. If the addresses are different,\r\nASLR is active.\r\nThe following example shows the output of show region for two identical Cisco IOS routers (c1841) running\r\nidentical images (C1841-ADVENTERPRISEK9-M), Version 15.3(2)T\r\nrouter# show region\r\n \r\nRegion Manager:\r\n Start End Size(b) Class Media Name\r\n 0x16000000 0x17FFFFFF 33554432 Iomem R/W iomem:(iomem)\r\n 0x60000000 0x75FFFFFF 369098752 Local R/W main\r\n 0x6001B5B8 0x6487FFFF 75909704 IText R/O main:text\r\n 0x6488BC40 0x6692125F 34166304 IData R/W main:data\r\n 0x66921260 0x6742621F 11554752 IBss R/W main:bss\r\n 0x67426220 0x75FFFFFF 247307744 Local R/W main:heap\r\n 0x80000000 0x95FFFFFF 369098752 Local R/W main:(main_k0)\r\n 0xA0000000 0xB5FFFFFF 369098752 Local R/W main:(main_k1)\r\n 0xF6000000 0xF7FFFFFF 33554432 Iomem R/W iomem\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 16 of 33\n\nrouter# show region\r\n \r\nRegion Manager:\r\n Start End Size(b) Class Media Name\r\n 0x16000000 0x17FFFFFF 33554432 Iomem R/W iomem:(iomem)\r\n 0x60000000 0x75FFFFFF 369098752 Local R/W main\r\n 0x6001EDF8 0x6487FFFF 75895304 IText R/O main:text\r\n 0x6488F480 0x66924A9F 34166304 IData R/W main:data\r\n 0x66924AA0 0x67429A5F 11554752 IBss R/W main:bss\r\n 0x67429A60 0x75FFFFFF 247293344 Local R/W main:heap\r\n 0x80000000 0x95FFFFFF 369098752 Local R/W main:(main_k0)\r\n 0xA0000000 0xB5FFFFFF 369098752 Local R/W main:(main_k1)\r\n 0xF6000000 0xF7FFFFFF 33554432 Iomem R/W iomem\r\nIn the preceding example, the starting address of the text, data, and region is different. This information indicates\r\nthat ASLR is active for this combination of software and hardware.\r\nAdditional Indicators of Compromise\r\nIn addition to verifying the integrity of the run-time memory, network administrators can check external logs and\r\nlogs stored on the Cisco IOS device itself for the presence of “unusual” commands.\r\nUnusual and Suspicious Commands\r\nThe presence of the following commands should trigger further investigation. The asterisk symbol * indicates any\r\ntext that follows the command itself.\r\ngdb *\r\ntest *\r\ntclsh *\r\ndebug *\r\nservice internal\r\nconfig-register*\r\nboot*\r\nupgrade*\r\nattach *\r\nremote *\r\nipc-con *\r\nif-con *\r\nexecute-on *\r\nservice-monitor *\r\nshow region\r\nshow memory *\r\nshow platform *\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 17 of 33\n\ndo-exec version of any of the above\r\nNote: Cisco IOS allows command abbreviation. For example, typing se in instead of service internal will still\r\nconfigure service internal on a device. When checking the logs, abbreviation of commands such as tes, rem,\r\nand se in should also be considered.\r\nChecking That Cisco IOS Software Call Stacks Are Within the Text Section Boundaries\r\nDuring normal operation, Cisco IOS processes should have the program counter (PC) and return address (RA)\r\nwithin the boundary of the text section. If this is not the case, the events should be further investigated.\r\nTo verify that the PC and RA are within the text section boundaries, use the show stack pid command where the\r\nprocess ID (PID) can be obtained, for example, by using the show process command. The following example\r\nshows how to display the PID of the process running on the Cisco IOS device:\r\nRouter# show process\r\n CPU utilization for five seconds: 0%/0%; one minute: 1%; five minutes: 0%\r\n PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process\r\n 1 Cwe 9D38588 0 25 0 5436/6000 0 Chunk Manager\r\n 2 Csp B698AA4 92 15670 5 2240/3000 0 Load Meter\r\n 4 Mwe A7F5568 4 268 14 5756/6000 0 Retransmission o\r\n 5 Mwe A7F30D8 0 4 0 5008/6000 0 IPC ISSU Dispatc\r\n 6 Mwe B38064C 0 1 0 5728/6000 0 PF Redun ICC Req\r\n 7 Lst 9D63BC0 127108 13231 9606 5436/6000 0 Check heaps\r\n 8 Cwe 9D55360 8 1310 6 5428/6000 0 Pool Manager\r\n 9 Mwe 9D55250 0 1 0 5752/6000 0 DiscardQ Backgro\r\n [...]\r\nAdministrators may use the show stack command to display information about the PC or RA for each process\r\ndisplayed with the show process command. (Depending on the software version and model, the output may\r\ninclude information about a PC or RA.)\r\nThe following example shows use of the show stack command to reveal RA information for PID 5. The result\r\nidentifies the IPC ISSU Dispatch process:\r\nRouter# show stack 5\r\n \r\nProcess 5: IPC ISSU Dispatch Process\r\n Stack segment 0x1551EDAC - 0x1552051C\r\n FP: 0x155204D0, RA: 0x9D6CD44\r\n FP: 0x15520508, RA: 0xA7F30DC\r\n FP: 0x15520510, RA: 0xB6A36E4\r\n FP: 0x0, RA: 0xB69D918\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 18 of 33\n\nAfter the information about the PC or RA is available, administrators are advised to verify that the memory\r\naddresses fall into the text region boundaries. These boundaries can be displayed by using the show\r\nregion command:\r\nRouter# show region\r\n \r\nRegion Manager:\r\n Start End Size(b) Class Media Name\r\n 0x04000000 0x77FFFFFF 1946157056 Local R/W main\r\n 0x04000000 0x07FFFFFF 67108864 Local R/W main:rommon\r\n 0x08000000 0x0FFFFFFF 134217728 IText R/O main:text\r\n 0x10000000 0x11A7B06F 27766896 IData R/W main:data\r\n 0x11A7B070 0x13CA9A1B 35842476 IBss R/W main:bss\r\n 0x13CA9A1C 0x77FFFFFF 1681221092 Local R/W main:heap\r\n 0x78000000 0x7FFFFFFF 134217728 Iomem R/W iomem\r\n Free Region Manager:\r\n Start End Size(b) Class Media Name\r\nIn this case, all PC addresses 0x9D6CD44, 0xA7F30DC, and 0xB6A36E4 are within the text section boundaries\r\n(between 0x08000000 and 0x0FFFFFFF).\r\nChecking Command History in the Cisco IOS Core Dump\r\nCisco IOS uses an internal buffer to record all commands typed either via the system console or via vty interfaces.\r\nWhen a core dump is generated, the command history buffer is also copied in the core dump file. Network\r\nadministrators can search the core dump to look for unusual commands.\r\nThe following example shows how to search a core dump file by using the Linux utility string:\r\n$ strings \u003cCORE\u003e |grep ^CMD:\r\n CMD: 'verify /md5 system:memory/text' 06:59:50 UTC Wed Jan 15 2014\r\n CMD: 'service internal | i exce' 07:02:41 UTC Wed Jan 15 2014\r\n CMD: 'conf t' 07:02:45 UTC Wed Jan 15 2014\r\n CMD: 'exception flash procmem bootflash:' 07:02:54 UTC Wed Jan 15 2014\r\n CMD: 'exception core-file CORE compress ' 07:03:31 UTC Wed Jan 15 2014\r\nThe command history can be used to check whether some of the suspicious commands, such as those listed in\r\nthe Unusual and Suspicious Commands section, have been run on a router, which would be an indication of\r\ncompromise.\r\nThe presence of unusual commands or repetition of commands, even those not listed in the Unusual and\r\nSuspicious Commands section, should also be investigated because these commands could indicate a way for an\r\nattacker to cover traces.\r\nChecking the Command History\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 19 of 33\n\nNetwork administrators can use the show history all command to access command history records. The following\r\nexample shows how to search for the presence of the service internal command in the history buffer:\r\nrouter# show history all | include se\r\n CMD: 'show run | include ^service internal' 09:55:17 UTC Thu Jan 16 2014\r\n CMD: 'show run | include ^service internal' 10:06:54 UTC Thu Jan 16 2014\r\n CMD: 'show run | include ^service internal' 10:49:54 UTC Tue Jan 21 2014\r\n CMD: 'sh run | i service' 17:20:34 UTC Thu Jan 23 2014\r\n CMD: 'service internal' 10:40:14 UTC Fri Jan 24 2014\r\n CMD: 'sho history all | i ser' 10:41:00 UTC Fri Jan 24 2014\r\n CMD: 'show history all | i ser' 10:41:30 UTC Fri Jan 24 2014\r\n CMD: 'ser in' 10:41:39 UTC Fri Jan 24 2014\r\n CMD: 'show history all | i ser' 10:41:42 UTC Fri Jan 24 2014\r\nThe command history can be used to check whether some of the suspicious commands, such as those listed in\r\nthe Unusual and Suspicious Commands section, have been run on a router, which would be an indication of\r\ncompromise.\r\nThe presence of unusual commands or repetition of commands, even those not listed in the Unusual and\r\nSuspicious Commands section, should also be investigated because these commands could indicate a way for an\r\nattacker to cover traces.\r\nChecking External Accounting Logs\r\nCisco IOS can be configured to send accounting information for exec and configuration commands to an external\r\nserver via the TACACS+ protocol as explained in the Security Best Practices section. Commands can be used to\r\ncheck whether some of the suspicious commands have been run on a router, which would be an indication of\r\ncompromise.\r\nChecking External Syslog Logs\r\nCisco IOS Software can be configured to send syslog logs to an external syslog server. Currently Cisco IOS\r\nSoftware will not send commands executed via the console or vty to the syslog server. Network administrators\r\nshould check the logs for unusual connections or connection attempts to the Cisco IOS devices via vty, console, or\r\nother available methods.\r\nChecking Booting Information\r\nInformation about the last time the Cisco IOS device was reloaded and the reason may provide additional insight\r\nabout a possible compromise. For example, an unscheduled reload should raise attention and be investigated\r\nfurther.\r\nNetwork administrators can use the show version command to see information about uptime, last reload cause,\r\nand which file was used to boot the Cisco IOS. The following is an example of show version output taken from a\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 20 of 33\n\nCisco 7606.\r\nImportant information in order of appearance in the output is:\r\nRouter uptime: This information indicates how long the router has been up. This information can be\r\ncorrelated with change management logs to see whether a reload was authorized and expected.\r\nImage booted: This field provides information about which file was used to boot the Cisco IOS device.\r\nAdministrators are advised to ensure that the filename matches the Cisco IOS image they intended to boot.\r\nConfiguration register: This value is used to indicate how the router should boot. The default value is\r\n0x2102 and should not be modified under normal circumstances. Modification of this value may indicate\r\nan attempt to change the correct boot sequence. Additional information is in Use of the Configuration\r\nRegister on All Cisco Routers.\r\nRouter# show version\r\n Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M),\r\n Version 12.2(33)SRD4, RELEASE SOFTWARE (fc2)\r\n Technical Support: http://www.cisco.com/techsupport\r\n Copyright (c) 1986-2010 by Cisco Systems, Inc.\r\n Compiled Mon 22-Feb-10 00:21 by prod_rel_team\r\n ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)\r\n BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M\r\n Version 12.2(33)SRD4, RELEASE SOFTWARE (fc2)\r\n Router uptime is 1 day, 21 hours, 41 minutes\r\n Uptime for this control processor is 1 day, 21 hours, 41 minutes\r\n System returned to ROM by power-on (SP by power on)\r\n System image file is \"sup-bootdisk:c7600rsp72043-advipservicesk9-mz.122-33.SRD4\"\r\n Last reload type: Normal Reload\r\n This product contains cryptographic features and is subject to United\r\n States and local country laws governing import, export, transfer and\r\n use. Delivery of Cisco cryptographic products does not imply\r\n third-party authority to import, export, distribute or use encryption.\r\n Importers, exporters, distributors and users are responsible for\r\n compliance with U.S. and local country laws. By using this product you\r\n agree to comply with applicable laws and regulations. If you are unable\r\n to comply with U.S. and local laws, return this product immediately.\r\n A summary of U.S. laws governing Cisco cryptographic products may be found at:\r\n http://www.cisco.com/wwl/export/crypto/tool/stqrg.html\r\n If you require further assistance please contact us by sending email to\r\n export@cisco.com.\r\n Cisco CISCO7606 (M8500) processor (revision 1.0) with 917504K/65536K bytes of memory.\r\n Processor board ID FOX090407DR\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 21 of 33\n\nBASEBOARD: RSP720\r\n CPU: MPC8548_E, Version: 2.0, (0x80390020)\r\n CORE: E500, Version: 2.0, (0x80210020)\r\n CPU:1200MHz, CCB:400MHz, DDR:200MHz,\r\n L1: D-cache 32 kB enabled\r\n I-cache 32 kB enabled\r\n Last reset from power-on\r\n 1 Virtual Ethernet interface\r\n 4 Gigabit Ethernet interfaces\r\n 4 Ten Gigabit Ethernet interfaces\r\n 3964K bytes of non-volatile configuration memory.\r\n 500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).\r\n Configuration register is 0x2102\r\nChecking the ROM Monitor Variable\r\nThe ROM monitor is a bootstrap program that initializes the hardware and boots the Cisco IOS Software.\r\nBecause the ROM monitor settings are persistent, information about the ROM monitor variable values could\r\nindicate an attempt to influence the Cisco IOS boot sequence. Administrators can use the set command while in\r\nthe ROM monitor prompt to see the value of the ROM monitor variables.\r\nNote: Entering the ROM monitor prompt will require a reload of the Cisco IOS device.\r\nThe output of the set command may differ depending on the platform and Cisco IOS release; however,\r\nadministrators should ensure that the following conditions are met:\r\nThe BOOT variable is set, reflecting the image file that should be used to boot Cisco IOS Software\r\nThe OFFSET variable is not set (that is, it does not appear in the output)\r\nThe following example shows the output of the set command executed on a Cisco 7600 Series device using\r\nSupervisor Engine 720 and running Cisco IOS 12.2(33)SRD4 advanced IP services:\r\n rommon 1 \u003e set\r\n PS1=rommon ! \u003e\r\n ALLOWANYFAN=1\r\n ALLOWANYPS=1\r\n LOG_PREFIX_VERSION=1\r\n SLOTCACHE=cards;\r\n ADJ_MCAST=\r\n BOOT=disk0:c7600s72033-advipservicesk9-mz.122-33.SRD4,12;\r\n RANDOM_NUM=2050115557\r\n RELOAD_TYPE=1\r\n TYFIB_BLOCK_ALLOC=\r\n NT_K=0:0:0:0\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 22 of 33\n\nBSI=0\r\n ACL_DENY=0\r\n PF_REDUN_CRASH_COUNT=0\r\n RET_2_RTS=10:59:51 UTC Wed Feb 5 2014\r\n RET_2_RCALTS=1391597993\r\n CRASHINFO=bootflash:crashinfo_20140205-105949-UTC\r\n ?=0\r\nChecking the ROM Monitor Information\r\nAdministrators can use the show rom-monitor command to verify the current version of the ROM monitor and\r\nwhether the ROM monitor has been upgraded on the Cisco IOS device. The following example shows the output\r\nof the command from a Cisco IOS 1800 Series router running Cisco IOS Software release where a ROM monitor\r\nupgrade has been performed\r\n Router# show rom-monitor\r\n ReadOnly ROMMON version:\r\n System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)\r\n Technical Support: http://www.cisco.com/techsupport\r\n Copyright (c) 2004 by cisco Systems, Inc.\r\n Upgrade ROMMON version:\r\n System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)\r\n Technical Support: http://www.cisco.com/techsupport\r\n Copyright (c) 2006 by cisco Systems, Inc.\r\n Currently running ROMMON from Upgrade region\r\n ROMMON from Upgrade region is selected for next boot\r\nNote: The output of this command may differ depending on the Cisco IOS hardware platform or software release.\r\nAdministrators should make sure that ROM monitor upgrade was a scheduled and legitimate action.\r\nSecurity Best Practices\r\nMaintain Cisco IOS Image File Integrity\r\nTo minimize the risk associated with malicious code, it is important that network administrators develop and\r\nconsistently apply a secure methodology for Cisco IOS Software image management. This secure process must be\r\nused from the time a Cisco IOS Software image is downloaded from Cisco.com until a Cisco IOS device begins\r\nusing it.\r\nAlthough processes may vary based on the network and its security and change management requirements, the\r\nfollowing procedure represents an example of best practices that may help minimize the possibility of malicious\r\ncode installation.\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 23 of 33\n\nWhen downloading a Cisco IOS Software image from www.cisco.com, record the MD5 hash as presented\r\non the Support and Downloads page of www.cisco.com.\r\nAfter the image has been downloaded to an administrative workstation, the MD5 hash of the local file\r\nshould be verified against the hash presented by the Cisco IOS Upgrade Planner.\r\nAfter the Cisco IOS Software image file has been verified as authentic and unaltered, copy it to write-once\r\nmedia or media that can be rendered as read-only after the image has been written.\r\nVerify the MD5 hash of the file written to the read-only media to detect corruption during the copy process.\r\nRemove the local file on the administrative workstation.\r\nRelocate the read-only media to the file server that is used for Cisco IOS Software image distribution to\r\nCisco IOS devices.\r\nTransfer the Cisco IOS Software image from the file server to the Cisco IOS device using a secure protocol\r\nthat provides both authentication and encryption.\r\nVerify the MD5 hash of the Cisco IOS Software image on the Cisco IOS device using any of the\r\nprocedures detailed in the Cisco IOS Image File Verification section of this document.\r\nModify the configuration of the Cisco IOS device to load the new Cisco IOS Software image upon startup.\r\nReload the Cisco IOS device to place the new software into service.\r\nImplement Change Control\r\nChange control is a mechanism through which network device changes are requested, approved, implemented, and\r\naudited. Change control is a great help in determining which changes have been authorized and which are\r\nunauthorized. Change control is important to help ensure that only authorized and unaltered Cisco IOS Software is\r\nused on Cisco IOS devices in the network.\r\nHarden the Software Distribution Server\r\nThe server that is used to distribute software to Cisco IOS devices in the network is a critical component of\r\nnetwork security. Several best practices should be implemented to help ensure the authenticity and integrity of\r\nsoftware that is distributed from this server. These best practices include the following:\r\nApplication of well-established operating system hardening procedures that are specific to the operating\r\nsystem in use\r\nConfiguration of all appropriate logging and auditing capabilities, including logging to write-once media\r\nPlacement of the software distribution server on a secure network with restricted connectivity from all but\r\nthe most trusted networks\r\nThe use of restrictive security controls to limit interactive access (as an example, SSH) to only a subset of\r\ntrusted network administrators\r\nKeep Cisco IOS Software Updated\r\nCisco IOS Software used in the network must be kept up to date so that new security functionality can be used and\r\nexposure to known vulnerabilities disclosed through Cisco Security Advisories is minimal.\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 24 of 33\n\nCisco is continually evolving the security of Cisco IOS Software images through the implementation of new\r\nsecurity functionality and the resolution of bugs. For these reasons, it is imperative that network administrators\r\nmaintain their networks in a manner that includes using up-to-date software. Failure to do so could expose\r\nvulnerabilities that may be used to gain unauthorized access to a Cisco IOS device.\r\nCisco transparently communicates vulnerabilities found in all Cisco products according to the Cisco Security\r\nVulnerability Policy.\r\nNetwork administrators can use the Cisco IOS Software Checker tool to search for Cisco Security Advisories that\r\naddress specific Cisco IOS Software releases.\r\nDeploy Digitally Signed Cisco IOS Images\r\nDigitally signed Cisco software is digitally signed using secure asymmetrical (public-key) cryptography.\r\nThe purpose of digitally signed Cisco software is to increase the security posture of Cisco IOS devices by\r\nensuring that the software running in the system has not been tampered with and originated from a trusted source\r\nas claimed.\r\nFor additional information, see Digitally Signed Cisco Software.\r\nCisco Secure Boot\r\nCisco Secure Boot is a secure startup process that your Cisco device performs each time it boots up. Beginning\r\nwith the initial power-on, a special purpose hardware device, known as the Trust Anchor module, verifies the\r\nintegrity of the ROMMON code and the IOS image via digital signatures as they each are loaded. If any failures\r\nare detected, the user is notified of the error and the device will wait for the operator to correct the error. This\r\nprevents your network device from executing tainted network software.\r\nCisco Value Chain Security\r\nCisco's Value Chain Security program focuses on counterfeit products, tainted products, and misuse of intellectual\r\nproperty. Just as important as physical security, maintaining a chain of custody from manufacturing through\r\ninstallation and provisioning is vital to a trustworthy network. There are many avenues to introduce malware or\r\nfraudulent hardware into network devices, and Cisco's Value Chain Security program ensures that devices\r\ndelivered with the Cisco Systems name are authentic and unmodified.\r\nWhile this program will help ensuring the authenticity of the Cisco hardware, administrator should make sure they\r\nhave tight control on the delivering of new or refurbished equipment once it has arrived on the premises.\r\nFor additional information, see Cisco Value Chain Security.\r\nLeverage the Latest Cisco IOS Security Protection Features\r\nCisco is continuously working on increasing the security protection present in Cisco devices. Whenever possible,\r\nCisco leverages the current hardware and provides software updates that include the latest security protection\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 25 of 33\n\nfeatures. However, in some cases new hardware capabilities are needed to provide the best protection.\r\nAdministrators should review their hardware and software to make sure that features such as Cisco Digitally\r\nSigned Image, ASLR, and Cisco Secure Boot are present in devices running in critical segments of their network\r\ninfrastructure.\r\nUse Authentication, Authorization, and Accounting\r\nThe comprehensive implementation of Authentication, Authorization, and Accounting (AAA) is critical to\r\nensuring the security of interactive access to network devices. Furthermore, AAA (specifically the authorization\r\nand accounting functions) should be used to limit the actions that authenticated users can perform and provide an\r\naudit trail of individual user actions.\r\nThe following example shows the necessary configuration to send accounting information to an external AAA\r\nserver. Note that Cisco also recommends configuration of authentication and authorization together with\r\naccounting.\r\n aaa accounting exec default start-stop group tacacs+\r\n aaa accounting commands 0 default start-stop group tacacs+\r\n aaa accounting commands 1 default start-stop group tacacs+\r\n aaa accounting commands 15 default start-stop group tacacs+\r\nFor additional information about the implementation of AAA, see the section Authentication, Authorization, and\r\nAccounting section of Cisco Guide to Harden Cisco IOS Devices.\r\nUse TACACS+ Authorization to Restrict Commands\r\nCommand authorization via TACACS+ should be enforced to keep tight control over commands that network\r\nadministrators should not use without specific reasons. This can be accomplished by configuring authentication\r\nand command authorization via TACACS+.\r\nThe following example shows how to configure a Cisco IOS device for TACACS+ authentication, command\r\nauthorization, and command accounting:\r\n aaa new-model\r\n aaa authentication login default group tacacs+ local enable\r\n aaa authentication enable default group tacacs+ enable\r\n aaa authorization config-commands\r\n aaa authorization exec default group tacacs+ local if-authenticated\r\n aaa authorization commands 1 default group tacacs+ local if-authenticated\r\n aaa authorization commands 15 default group tacacs+ local if-authenticated\r\n aaa accounting exec default start-stop group tacacs+\r\n aaa accounting commands 0 default start-stop group tacacs+\r\n aaa accounting commands 1 default start-stop group tacacs+\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 26 of 33\n\naaa accounting commands 15 default start-stop group tacacs+\r\n aaa session-id common\r\nWhen authorization is in place, the following commands should be restricted or prohibited by configuring the\r\nexternal AAA server. The following commands are particularly relevant to ensure that the Cisco IOS Software\r\nrun-time memory and boot sequence are not modified:\r\ngdb *\r\ntest *\r\ntclsh *\r\nservice internal\r\nconfig-register*\r\nboot*\r\nupgrade*\r\nThe following commands may be used to connect to line cards or switch processors on products that support them.\r\nThey are particularly important because after the Cisco IOS device is connected to a line card or switch processor,\r\nthe commands executed are not logged or authorized using the AAA server.\r\nattach *\r\nremote *\r\nipc-con *\r\nif-con *\r\nexecute-on *\r\nThe following commands may be used to show a particular state of the system. They are important because they\r\ncan be used during a reconnaissance attack to study the system and prepare an attack using other commands:\r\nshow platform *\r\nshow region\r\nshow memory *\r\nCisco IOS Software allows the use of the do-exec \u003ccommand\u003e in configuration mode. It is important that\r\npolicies for authentication, command authorization, and command accounting take this feature into account by\r\nrestricting or prohibiting any of the commands detailed in this section even when they are preceded by the do-exec command (for example, do-exec test *).\r\nImplement Credentials Management\r\nPasswords control access to resources or devices. A password or secret is defined and used to authenticate\r\nrequests. When a request is received for access to a resource or device, the request is challenged for verification of\r\nthe password and identity, and access can be granted, denied, or limited based on the result.\r\nAs a security best practice, passwords should be managed with a TACACS+ or RADIUS authentication server.\r\nHowever, a locally configured password for privileged access is still needed in the event of a failure of the\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 27 of 33\n\nTACACS+ or RADIUS services. A device can also have other password information in its configuration, such as\r\nan NTP key, Simple Network Management Protocol (SNMP) community string, or routing protocol key.\r\nThe enable secret command is used to set the password that grants privileged administrative access to the Cisco\r\nIOS system. The enable secret command must be used, rather than the older enable password command.\r\nThe enable password command uses a weak encryption algorithm.\r\nIf no enable secret is set and a password is configured for the console line, the console password can be used to\r\nreceive privileged access, even from a remote vty session. This action is almost certainly unwanted and is another\r\nreason to ensure configuration of an enable secret.\r\nThe service password-encryption global configuration command directs Cisco IOS Software to encrypt the\r\npasswords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its\r\nconfiguration file. Such encryption is useful to prevent casual observers from reading passwords, such as when\r\nthey look at the screen over the shoulder of an administrator. However, the algorithm used by the service\r\npassword-encryption command is a simple Vigenère cipher. The algorithm is not designed to protect\r\nconfiguration files against serious analysis by even slightly sophisticated attackers and must not be used for this\r\npurpose. Any Cisco IOS configuration file that contains encrypted passwords must be treated with the same care\r\nthat is used for a cleartext list of those same passwords.\r\nAlthough this weak encryption algorithm is not used by the enable secret command, it is used by the enable\r\npassword global configuration command, as well as the password line configuration command. Passwords of this\r\ntype must be eliminated and the enable secretcommand or the Enhanced Password Security feature needs to be\r\nused.\r\nThe enable secret command and the Enhanced Password Security feature use salted MD5 for password hashing.\r\nThis algorithm has had considerable public review and is not known to be reversible. However, the algorithm is\r\nsubject to dictionary attacks. In a dictionary attack, an attacker tries every word in a dictionary or other list of\r\ncandidate passwords to find a match. Therefore, configuration files must be securely stored and only shared with\r\ntrusted individuals.\r\nParticular care should be taken in protecting network administrator credentials from theft because privileged\r\naccess to the Cisco IOS device may be used to compromise the integrity of the memory, compromise the\r\nconfidentiality of the data and configuration, and affect operations.\r\nCisco recommends the use of two-factor authentication for device management.\r\nImplement Configuration Controls\r\nConfiguration management is a process by which configuration changes are proposed, reviewed, approved, and\r\ndeployed. In the context of a Cisco IOS device configuration, two additional aspects of configuration management\r\nare critical: configuration archives and security.\r\nYou can use configuration archives to roll back changes that are made to network devices. In a security context,\r\nconfiguration archives can also be used to determine which security changes were made and when these changes\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 28 of 33\n\noccurred. In conjunction with AAA log data, this information can assist in the security auditing of network\r\ndevices.\r\nThe configuration of a Cisco IOS device contains many sensitive details. Usernames, passwords, and the contents\r\nof access control lists are examples of this type of information. The repository that you use to archive Cisco IOS\r\ndevice configurations needs to be secured. Insecure access to this information can undermine the security of the\r\nentire network.\r\nAdditional information is in the Cisco IOS Software Configuration Management section of Cisco Guide to Harden\r\nCisco IOS Devices.\r\nProtect Interactive Access to Devices\r\nAfter AAA has been implemented to control which users can log in to particular network devices, access control\r\nshould be implemented to limit IP addresses from which users may perform management functions on a network\r\ndevice. This access control includes multiple security features and solutions to limit access to a device:\r\nVTY access classes\r\nManagement Plane Protection (MPP)\r\nControl Plane Policing (CoPP)\r\nControl Plane Protection (CPPr)\r\nInfrastructure access control lists (iACL)\r\nSNMP access lists\r\nFor more information, see the following sections of Cisco Guide to Harden Cisco IOS Devices: Secure Interactive\r\nManagement Sessions and Fortify the Simple Network Management Protocol.\r\nMany protocols carry sensitive network management data. You must use secure protocols whenever possible. A\r\nsecure protocol choice includes the use of SSH instead of Telnet so that both authentication data and management\r\ninformation are encrypted. In addition, you must use secure file transfer protocols when you copy configuration\r\ndata. An example is the use of SCP in place of FTP or TFTP.\r\nSee the Secure Interactive Management Sessions section of Cisco Guide to Harden Cisco IOS Devices for more\r\ninformation about the secure management of Cisco IOS devices.\r\nGain Traffic Visibility with NetFlow\r\nNetFlow enables you to monitor traffic flows in the network. Originally intended to export traffic information to\r\nnetwork management applications, NetFlow can also be used to show flow information on a router. This capability\r\nallows you to see what traffic traverses the network in real time. Regardless of whether flow information is\r\nexported to a remote collector, you are advised to configure network devices for NetFlow so that it can be used\r\nreactively if needed.\r\nMore information about this feature and using NetFlow to identify a possibly compromised device or network is\r\nin the Traffic Identification and Traceback section of Cisco Guide to Harden Cisco IOS Devices and in Telemetry-Based Infrastructure Device Integrity Monitoring.\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 29 of 33\n\nUse Centralized and Comprehensive Logging\r\nFor network administrators to understand events taking place on a network, a comprehensive logging structure\r\nusing centralized log collection and correlation must be implemented. Additionally, a standardized logging and\r\ntime configuration must be deployed on all network devices to facilitate accurate logging. Furthermore, logging\r\nfrom the AAA functions in the network should be included in the centralized logging implementation.\r\nAfter comprehensive logging is in place on a network, the collected data must be used to monitor network activity\r\nfor events that may indicate unauthorized access to a network device or unauthorized actions by legitimate users.\r\nThese types of events could represent the first step in undermining the security on a Cisco IOS device. Because\r\nthe following items may represent unauthorized access or unauthorized actions, they should be monitored closely:\r\nThe transmission of Cisco IOS Software images to a Cisco IOS device using the copy command or local\r\nSCP, TFTP, or FTP server functionality.\r\nThe attempted execution of certain high-risk EXEC commands.\r\nThe copy, gdb, more, configure, tclsh, and test commands are some examples of commands that should\r\nbe monitored. This list is not exhaustive.\r\nModification of the boot environment in use on the network devices. This specifically includes\r\nthe boot and config-register global configuration commands.\r\nModification of the security configuration for a Cisco IOS device. This may include the removal of VTY\r\naccess classes or the logging configuration or the addition of new administrative users.\r\nLogging related to the insertion or removal of storage media, such as flash devices.\r\nSNMP-related logging of attempts to modify the Cisco IOS device configuration or perform file\r\nmanagement tasks.\r\nThe planned and unplanned reload of the Cisco IOS Software due to a software crash or the use of\r\nthe reload command.\r\nFor more information, see the Centralize Log Collection and Monitoring and Logging Best Practices sections\r\nof Cisco Guide to Harden Cisco IOS Devices.\r\nConclusion\r\nIn conclusion, as interest in Cisco IOS Software integrity assurance is growing, this document presented various\r\nmethods for an administrator to assess the integrity of the software running on his or her Cisco IOS device. These\r\ninclude image and memory verification, command checks, boot history checks, and more. Most miscreants\r\ntargeting Cisco IOS router software would, in theory, attempt to achieve it by using hidden commands,\r\ncompromising images, or exploiting vulnerabilities. These techniques can usually be prevented by implementing\r\ncommon recommendations and best practices that are published by Cisco and summarized in this document.\r\nCommand authorization and accounting, logging, credential management, image signing, vulnerability control,\r\nand device hardening are some of the most important practices that will not only prevent Cisco IOS Software\r\nmodification in nearly all cases, but will also ensure good security policy.\r\nAcknowledgments\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 30 of 33\n\nAuthors:\r\nPanos Kampanakis (pkampana[at]cisco[dot]com) is a member of the Applied Security Intelligence team in\r\nthe Security Intelligence Operations organization.\r\nStefano De Crescenzo (sdecresc[at]cisco[dot]com) is a member of the PSIRT team in the Security\r\nIntelligence Operations organization.\r\nXavier Brouckaert (xabrouck[at]cisco[dot]com) is a member of the PSIRT team in the Security Intelligence\r\nOperations organization.\r\nDario Ciccarone (dciccaro[at]cisco[dot]com) is a member of the PSIRT team in the Security Intelligence\r\nOperations organization.\r\nReferences\r\nCisco Guide to Harden Cisco IOS Devices\r\n//www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html\r\nCisco IOS Image Verification\r\n//www.cisco.com/web/about/security/intelligence/iosimage.html\r\nOffline Analysis of IOS Image Integrity Blog\r\nhttp://blogs.cisco.com/security/offline-analysis-of-ios-image-integrity/\r\nSecuring Tool Command Language on Cisco IOS\r\n//www.cisco.com/web/about/security/intelligence/securetcl.html\r\nCisco Security Vulnerability Policy\r\n//www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html\r\nUse of the Configuration Register on All Cisco Routers\r\n//www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/50421-config-register-use.html\r\nDigitally Signed Cisco Software\r\n//www.cisco.com/c/en/us/td/docs/ios-xml/ios/sys-image-mgmt/configuration/15-mt/sysimgmgmt-15-mt-book/sysimgmgmt-dgtly-sgnd-sw.html\r\nCisco IOS Software Checker\r\nhttps://sec.cloudapps.cisco.com/security/center/selectIOSVersion.x\r\nCreating Core Dumps\r\n//www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr19aa.html\r\nCisco IOS Configuration Guide\r\n//www.cisco.com/c/en/us/support/ios-nx-os-software/ios-15-3m-t/products-installation-and-configuration-guides-list.html\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 31 of 33\n\nMD5 File Validation\r\n//www.cisco.com/c/en/us/td/docs/ios-xml/ios/sys-image-mgmt/configuration/15-mt/sysimgmgmt-15-mt-book/sysimgmgmt-md5.html\r\nImage Verification\r\n//www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec-image-verifctn.html\r\nTelemetry-Based Infrastructure Device Integrity Monitoring\r\n//www.cisco.com/web/about/security/intelligence/network-integrity-monitoring.html\r\nCisco IOS XE Software Integrity Assurance\r\n//www.cisco.com/web/about/security/intelligence/ios-xe-integrity-assurance.html\r\nCisco Value Chain Security\r\n//www.cisco.com/web/about/doing_business/trust-center/built-in-security/supply-chain-security.html\r\nRevision History\r\nDate Description\r\nSeptember\r\n7, 2018\r\nMoved content to a new URL.\r\nJune 8,\r\n2015\r\nAdded additional information to the Introduction, Potential Attack Methods, Commands,\r\nManipulating Cisco IOS Images, Vulnerabilities, and ROM Monitor sections. Added Cisco\r\nSecure Boot and Cisco Supply Chain Security sections. Added reference for Cisco Supply\r\nChain Security.\r\nMay 29,\r\n2015\r\nAdded caution statement in the \"Text Memory Section Export\" and \"Verify MD5 Validation\r\nFeature for the Text Region\" sections to indicate that certain commands should not be used\r\nwith certain platforms.\r\nNovember\r\n6, 2014\r\nRemoved RADIUS from \"Checking External Accounting Logs.\"\r\nJuly 17,\r\n2014\r\nAdded the sections \"Verifying Authenticity for Digitally Signed Images\" and \"Checking That\r\nCisco IOS Software Call Stacks Are Within the Text Section Boundaries.\" Added to the list of\r\nunusual and suspicious commands. Added links to Telemetry-Based Infrastructure Device\r\nIntegrity Monitoring and Cisco IOS XE Software Integrity Assurance.\r\nApril 16,\r\n2014\r\nInitial public release.\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 32 of 33\n\nThis document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco\r\nSecurity portal in English only.\r\nThis document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the\r\nwarranties of merchantability or fitness for a particular use. Your use of the information in the document or\r\nmaterials linked from the document is at your own risk. Cisco reserves the right to change or update this document\r\nwithout notice at any time.\r\nBack to Top\r\nSource: https://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nhttps://tools.cisco.com/security/center/resources/integrity_assurance.html#30\r\nPage 33 of 33",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://tools.cisco.com/security/center/resources/integrity_assurance.html#30"
	],
	"report_names": [
		"integrity_assurance.html#30"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441525,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6fb7e4221fe059883fbe275616374202b882c3c.pdf",
		"text": "https://archive.orkl.eu/a6fb7e4221fe059883fbe275616374202b882c3c.txt",
		"img": "https://archive.orkl.eu/a6fb7e4221fe059883fbe275616374202b882c3c.jpg"
	}
}