The Real Threat From SYNful Knock On Cisco Devices

There has been a lot of recent news about the recent paper from Mandiant on a backdoor malware named SYNful Knock. Some headlines make it seem like this is a major day zero however here is the real story … its not a product vulnerability. See the Cisco blog post on this HERE  and PSIRT announcement HERE regarding what is really vulnerable and how to handle it.

The key paragraph to note from the blog on this subject is as follow.

“The Cisco PSIRT worked with Mandiant and confirmed that the attack did not leverage any product vulnerabilities and that it was shown to require valid administrative credentials or physical access to the victim’s device.”.

So first off, you need to have access to the device or valid administration credentials, which means if those had happened, you already would be in trouble regardless of the SYNful Knock malware.

SYNful knock is explained in the blog as

“SYNful Knock is a type of persistent malware that allows an attacker to gain control of an affected device and compromise its integrity with a modified Cisco IOS software image. It was described by Mandiant as having different modules enabled via the HTTP protocol and triggered by crafted TCP packets sent to the device.”.

So really its a piece of malware that can cause harm if you have administration rights or physical access meaning its NOT A PRODUCT VULNERABILITY. Even with that, there is a IPS rule (Snort Rule SID:36054) that can detect this.

Regardless it is always best practice to audit the security of your network equipment. Omar Santos does a good job explaining best practice for reviewing and hardening your network devices.


So hopefully this puts some of those concerns about the SYNful Knock threat to bed. Maybe Mandiant is upset by the real vulnerabilities that were published in the FireEye playing with Fire paper found HERE?

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.