Cisco Product Security Incident Response Team (PSIRT) has released
information to address a report that describes a type of persistent
malware used against Cisco IOS platforms known as SYNful Knock
Mandiant/FireEye published an article describing an example of this type
of malware used to manipulate certain Cisco IOS platforms. Cisco PSIRT
worked with Mandiant and confirmed that no product vulnerability is
leveraged in this attack and, to be successful, the attacker requires
valid administrative credentials or physical access to the system to
install a malicious IOS image. Once the malicious IOS image is
installed, the attacker could manipulate device behavior via HTTP
packets sent to the targeted device's interface. No CVE ID will be
Cisco PSIRT has published a blog post and updated a number of technical documents to include information regarding this malware as well as other threats to Cisco IOS devices. The following publications are publicly available and provide information for preventing, detecting, and remediating potential compromise on Cisco IOS devices:
Cisco recommends that users review these documents to understand the types of threats against Cisco IOS devices. Cisco also recommends that users ensure operational procedures include methods for preventing and detecting compromise. In addition, administrators are advised to apply Snort SID 36054 to help detect attacks using SYNful Knock.
For help with implementing any of the recommendations in the documents,
customers should contact their appropriate support organization.
We request your assistance by distributing this information to your
constituent organizations to raise awareness about the evolution of
threats against Cisco IOS devices.
For questions regarding information in the above documents, contact email@example.com.
Modified Cisco IOS Binary Information
The following table shows a summary of the Cisco IOS Software images found to be compromised, the MD5 of each compromised image, and the MD5 of the original Cisco IOS Software image:
Note: the preceding table is based on samples collected by Cisco. This may not be a complete list of Cisco IOS Software images modified by SYNful Knock malware. This table will be updated as new information becomes available.
||Compromised MD5 Hash
||Good MD5 Hash