{"id":951,"date":"2010-07-13T17:33:35","date_gmt":"2010-07-13T16:33:35","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=951"},"modified":"2010-07-13T17:33:54","modified_gmt":"2010-07-13T16:33:54","slug":"ios-image-verification","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=951","title":{"rendered":"IOS Image Verification"},"content":{"rendered":"<p>The Image Verification feature, added in Cisco IOS Software Releases  12.3(4)T, 12.0(26)S, and 12.2(18)S, builds on the MD5 File Validation  functionality to more easily allow network administrators to verify the  integrity of an image file that is loaded on the Cisco IOS file system  of a device. <!--more--><\/p>\n<p>The purpose of the Image Verification feature is to ensure  that corruption of the Cisco IOS software image file has not occurred.  The corruption detected by this feature could have occurred at any time;  for example, during the download from Cisco.com or the installation  process.<\/p>\n<p><strong>Note: <\/strong>The Image Verification feature  does not check the integrity of the image running in memory.<\/p>\n<p>Cisco IOS software image file verification using this feature can be  accomplished using the following commands:<\/p>\n<ul>\n<li><strong>file verify auto<\/strong><\/li>\n<li><strong>copy [\/erase] [\/verify | \/noverify]<\/strong> <em>source-url  destination-url<\/em><\/li>\n<li><strong>reload [warm] [\/verify | \/noverify]<\/strong> [<em>text<\/em> | <strong>in<\/strong> <em>time  [text]<\/em> | <strong>at<\/strong> <em>time [text]<\/em> | <strong>cancel<\/strong>]<\/li>\n<\/ul>\n<p><strong>Note: <\/strong>Only the <strong>file verify auto<\/strong> global configuration  command and the <strong>verify<\/strong> privileged EXEC command will be covered in  this Security Response. For information on the <strong>copy \/verify<\/strong> and <strong>reload  \/verify<\/strong> commands, please see the section entitled &#8220;Image  Verification&#8221; (available at <a onclick=\"s_objectID=&quot;http:\/\/www.cisco.com\/en\/US\/docs\/ios\/sec_user_services\/configuration\/guide\/sec_image_verifctn.html_1&quot;;return  this.s_oc?this.s_oc(e):true\" href=\"http:\/\/www.cisco.com\/en\/US\/docs\/ios\/sec_user_services\/configuration\/guide\/sec_image_verifctn.html\">http:\/\/www.cisco.com\/en\/US\/docs\/ios\/sec_user_services\/configuration\/guide\/sec_image_verifctn.html<\/a> of the &#8220;Cisco IOS Security Configuration Guide&#8221; (available at <a onclick=\"s_objectID=&quot;http:\/\/www.cisco.com\/en\/US\/docs\/ios\/security\/configuration\/guide\/12_4\/sec_12_4_book.html_1&quot;;return  this.s_oc?this.s_oc(e):true\" href=\"http:\/\/www.cisco.com\/en\/US\/docs\/ios\/security\/configuration\/guide\/12_4\/sec_12_4_book.html\">http:\/\/www.cisco.com\/en\/US\/docs\/ios\/security\/configuration\/guide\/12_4\/sec_12_4_book.html<\/a>).<\/p>\n<h4>Configuring the file verify auto Command<\/h4>\n<p>Network administrators can use the <strong>file verify auto<\/strong> global  configuration command to enable verification of all images that are  either copied using the <strong>copy<\/strong> privileged EXEC command or loaded  using the <strong>reload<\/strong> privileged EXEC command. These images are  automatically verified for image file integrity.<\/p>\n<p>The following example shows how to configure the <strong>file verify auto<\/strong> Cisco IOS feature:<\/p>\n<blockquote>\n<pre>router#<strong>configure terminal<\/strong>\r\nrouter(config)#<strong>file verify auto<\/strong>\r\nrouter(config)#<strong>exit<\/strong>\r\nrouter#<\/pre>\n<\/blockquote>\n<p>In addition to <strong>file verify auto<\/strong>, both the <strong>copy<\/strong> and the <strong>reload<\/strong> commands have a <strong>\/verify<\/strong> argument that enables the Image  Verification feature to check the integrity of the Cisco IOS image file.  This argument must be used each time an image is copied to or reloaded  on a Cisco IOS device if the global configuration command <strong>file verify  auto<\/strong> is not present.<\/p>\n<h4>Using the Image Verification Cisco IOS verify Command<\/h4>\n<p>Network administrators can also use the <strong>verify<\/strong> privileged EXEC  command, originally introduced for the &#8220;MD5 File Validation&#8221; feature  and updated by the &#8220;Image Verification&#8221; feature, to verify the integrity  of image files that are stored locally on a device. The following  example demonstrates how to use the updated <strong>verify<\/strong> command on a  Cisco IOS device:<\/p>\n<blockquote>\n<pre>router#<strong>verify disk0:c7301-jk9s-mz.124-10.bin<\/strong>\r\n<strong>Verifying file integrity of disk0:c7301-jk9s-mz.124-10.bin<\/strong>\r\n.....&lt;output truncated&gt;.....Done!\r\nEmbedded Hash  MD5 : <strong>0C5BE63C4E339707EFB7881FDE7D5324<\/strong>\r\nComputed Hash  MD5 : <strong>0C5BE63C4E339707EFB7881FDE7D5324<\/strong>\r\nCCO Hash       MD5 : <strong>AD9F9C902FA34B90DE8365C3A5039A5B<\/strong>\r\n\r\n<strong>Signature Verified<\/strong>\r\n\r\nrouter#<\/pre>\n<\/blockquote>\n<p>In the preceding output, three MD5 hash values are displayed by the <strong>verify<\/strong> command. Here is an explanation of what each one of those MD5 hash  values means:<\/p>\n<ul>\n<li><strong>Embedded Hash:<\/strong> MD5 hash stored by Cisco in a section of the  Cisco IOS image file during the image build process; used to verify  section integrity for the Cisco IOS software image file. This MD5 hash  value is calculated for certain sections of the Cisco IOS image file.<\/li>\n<li><strong>Computed Hash:<\/strong> MD5 hash that the &#8220;Image Verification&#8221; feature  calculates for certain sections of the Cisco IOS software image file  when the <strong>verify<\/strong> command is executed. This value should be the  same as the Embedded Hash to verify section integrity of the Cisco IOS  image file. If this value is not equal to the Embedded Hash, the Cisco  IOS image file may be corrupted or intentionally altered.<\/li>\n<li><strong>CCO Hash:<\/strong> MD5 hash for the entire Cisco IOS image file. This  hash is computed by the verify command and is not stored in the Cisco  IOS software image.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The Image Verification feature, added in Cisco IOS Software Releases 12.3(4)T, 12.0(26)S, and 12.2(18)S, builds on the MD5 File Validation functionality to more easily allow network administrators to verify the integrity of an image file that is loaded on the Cisco IOS file system of a device.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83],"tags":[32],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/951"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=951"}],"version-history":[{"count":3,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/951\/revisions"}],"predecessor-version":[{"id":954,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/951\/revisions\/954"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=951"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=951"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=951"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}