Hacker News new | ask | show | jobs
by dogma1138 3597 days ago
On thing I find odd is

"JETPLOW is a persistent implant of EPICBANANA. Digitally signed Cisco software is signed using secure asymmetrical (public-key) cryptography in newer platforms prevents these types of attacks. The purpose of digitally signed Cisco software is to increase the security posture of Cisco ASA devices by ensuring that the software running on the system has not been tampered with and originated from a trusted source as claimed."

They claim that the implant is digitally signed, then they say that it shouldn't work because Cisco software is digitally signed also, and it's verified by the Cisco Secure Boot.

Isn't that a bit contradictory? sure they might have had flaws in their verification process (we've seen signature verifications that were nothing more than "is this a signed message" before) but since Cisco verifies the signature properly (as you haven't been able to binary patch Cisco boot images for 5+ years) doesn't this implies that the NSA got a hold of the signing keys used by Cisco or an authorized 3rd party?
5 comments
dsp1234 3597 days ago
The advisory is saying that JETPLOW is not signed. And thus, in newer platforms where signing is implemented, it would prevent that type of attack.
link
lallysingh 3597 days ago
It's just poor grammar. Here's the fixed sentence, replacing a confusing proper noun: "PROPERNOUN Cisco software is signed using secure asymmetrical (public-key) cryptography in newer platforms [that] prevents these types of attacks."
link
dogma1138 3597 days ago
Yeah I guess it's a combination of non ideal grammar and lack of reading comprehension on my part :)
link
spdustin 3597 days ago
They clarified that the files are signed by PKI now. Notice the order of the words "digitally signed [files] are signed using secure [etc] in newer platforms"

It suggests to me that the previous signature style was a symmetric type, whereas now it's asymmetric.

link
mintplant 3597 days ago
> They claim that the implant is digitally signed

Where do they claim that? Both occurrences of the words "digitally signed" in the quoted section refer to the new Cisco software and not to the JETPLOW payload.

link
revelation 3597 days ago
It says in newer platforms. That said, a boot verification is kind of pointless in systems that are expected to run continuously for months. If you have code execution, you might be perfectly fine only having your in for months and not bother to patch the firmware.
link