contact us

Don’t Forget the Firmware

by Sep 1, 2020

Don’t Forget the Firmware

This past week Cisco discovered zero-day attacks being used in the wild against its Cisco IOS XR products. The last few months have shown a trend to keep network administrators busy outside of the new routine of work-from-home woes. Critical security vulnerabilities have been disclosed in several firewall devices:

These are firmware devices routinely located on external networks that stand guard against the chaos of the internet. Since it’s no secret that most internal networks are ripe for compromise, if these edge devices fall, the entire organization’s assets are often not far behind. The risk to critical infrastructure across a broad range of industries was deemed so severe that US CYBERCOM issued several alerts urging network administrators to remediate these vulnerabilities immediately.

Unfortunately, due to the many different vendor update and security advisory schemes, firmware devices such as these are some of the most overlooked when it comes to patch management. The individual vendors and vulnerabilities noted above are not important; all firmware devices from all vendors require system administrators to continually apply service updates. These types of devices are frequently marketed as silver bullets, a panacea to all cybersecurity woes, when they shamefully are not.

Firmware is defined as software that is contained permanently in a hardware device. Traditionally it is computer code that is stored in a read-only memory (ROM). Your computer’s motherboard will have dozens of microcontrollers, integrated circuits with a firmware program in them that accomplishes some small task for the overall system.

More broadly, the term firmware has become nomenclature for an operating system and its services that run on a network device. Firewalls, printers, and the numerous “smart” IoT devices are examples of complex systems that are patched and updated through a monolithic “firmware” update. The consumer does not have to know much about the underlying operating system or update each component individually, instead every few months the vendor will release new firmware.

Firmware in this sense can include services that enable administration of the device, such as a web application or SSH. It is common for firmware devices to default enable known vulnerable services such as IPMI 2.0 and telnet daemons. Every one of these enabled services is an increase to the organization’s attack surface. Many devices allow you to configure the available services. It is worth taking the time to administratively disable services that are not in use, and to ensure that configurations such as TLS encryption are secure.

Industrial Control Systems also fall into the vague category of firmware devices, as do many embedded products that run on top of the Microsoft Windows operating system. Indeed, the Windows workstations and servers that power your organization are likely the biggest attack surface you have, and a misconfigured or unpatched device joined to the domain can open your organization up for attack. It is important to ensure that these devices are receiving available Windows updates in a timely manner. User roles and group policies must be locked down. You may even choose to deploy an antivirus solution.

There is also a rare case where a legacy device is still in use, with a critical vulnerability discovered and no available firmware patch. In this instance, it is worth weighing the risk to the organization to the cost of replacing the system. If this is not an option, moving vulnerable devices to isolated subnets may be an appropriate remediation.

Cyber espionage intelligence campaigns and organized cybercriminal operations will invest vast resources into knowing your network better than you do. Take the time to map out and learn the entire network, and don’t forget the firmware. A leading problem in the information security industry is that most organizations do not have a full inventory of their assets. RiskSense has published a guide that will help map out your organization’s networks. Read the documentation on how to configure these devices, and pay close attention to your vendor’s security advisories.