Cisco has patched a high-severity bug in the web-based user interface of its IOS XE software. The flaw lets anyone on the internet stealthily break into internal networks without a password.
This newly disclosed issue, tracked as CVE-2019-1904, can be exploited by a remote attacker using a cross-site request forgery (CSRF) attack on affected systems.
SEE: 10 tips for new cybersecurity pros (free PDF)
Cisco IOS XE is the Linux-based version of the company’s internetworking operating system (IOS), used on numerous enterprise routers and Cisco Catalyst switches. Cisco confirmed the bug doesn’t affect IOS, IOS XR, or NX-OS variants.
“The vulnerability is due to insufficient CSRF protections for the web UI on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link,” Cisco explains.
In an attack scenario, a CSRF exploit could be hidden inside malicious ads, lending itself to weaponization in an exploit kit. The appeal of exploiting this flaw is that it would allow an attacker to target internal networks or admins without setting off any alarms.
An attacker who successfully exploits the flaw can perform any actions they want with the same privilege level of the affected user.
“If the user has administrative privileges, the attacker could alter the configuration, execute commands, or reload an affected device,” Cisco warns.
The only way to address this vulnerability is to install software updates Cisco has made available. And those updates are only available to customers with a valid Cisco license.
The bug was discovered by researchers at Red Balloon Security, the firm that discovered Thangrycat, a dire bug disclosed in May that affected Cisco’s Trust Anchor module (TAm), a proprietary hardware security chip present in Cisco gear since 2013.
The firm also found a separate remote code execution flaw in the web interface of IOS XE.
While there is no workaround for the new bug, disabling the HTTP Server feature closes this attack vector and “may be a suitable mitigation” until affected devices are running a fixed version, according to Cisco.
Cisco notes that there is proof-of-concept exploit code for this IOS XE vulnerability. However, it adds there’s no indication yet that the exploit code is publicly available.
More on Cisco and security
Nissan gives its new Note e-POWER a smart hybrid upgrade
Nissan has revealed its newest electrified model, with the 2020 Note e-POWER tapping the second-generation of the automaker’s gas-electric hybrid drivetrain. Headed to Japanese dealerships next month, the new Note previews some of the new Nissan design language we’re expecting to see on the all-electric Ariya crossover next year.
Unlike the Ariya, however, the e-POWER system in the 2020 Note isn’t entirely electric. Instead it relies on electric drive for the wheels, but a gas engine that’s brought along to act as a mobile generator. With e-POWER cars, the combustion engine isn’t directly connected to the wheels, but Nissan can also use a smaller – thus lighter and cheaper – battery than in an all-electric model like the Leaf.
Now in its second-generation, in the case of this new Note the e-POWER system has a more powerful motor and an improved inverter. The motor gets 10-percent more torque and 6-percent greater output, Nissan says, for improved perkiness from a standing start. It should also be smoother in acceleration, and quieter in the cabin.
As for the inverter, that’s 40-percent smaller than the old model, and 30-percent lighter. Combined with a more efficient gas engine, e-POWER as a whole is more economical; Nissan says it also should be quieter, since the engine runs at a lower RPM than before, and requires fewer engagements. Nissan even tracks road noise to decide when to turn the gas engine on, picking times when background sounds from the road surface conditions and vehicle speed are louder.
There’ll be both front-wheel drive and all-wheel drive versions of the car, the latter using a second electric motor. Both have a new aesthetic which Nissan is calling “Timeless Japanese Futurism”: think a bigger grille, lots of “V”-shaped style elements, and sharper crease lines. LED projector lamps are used at the front, while 16-inch alloy wheels are standard.
Inside, there are Nissan’s favorite Zero Gravity seats, with larger armrests. The rear bench gets reclining seat-backs. A new dashboard design features a larger digital display, and options like wireless phone charging and ProPILOT with Navi-link. That taps the navigation system to monitor for upcoming bends on the highway, and automatically adjust the adaptive cruise control settings appropriately.
What we shouldn’t expect, though, is the new Note e-POWER in the US. Nissan decided to discontinue sales of the model here in favor of the Kicks crossover, and shows no indication of changing that decision even with this new version. Pricing will kick off in Japan at just over $19k, but while we may not get the new Note, it’s likely that more e-POWER models will make it to the US.
2021 Mercedes-Benz Metris returns with better safety features and more standard kit
The 2021 Mercedes-Benz Metris is returning next year with a bevy of new standard kit. Also known as the Vito, V-Class, or Viano in some markets, the Metris is a tad smaller than the full-size Sprinter van, but it’s significantly larger than other midsize vans like the Ford Transit Connect, Ram ProMaster City, and Nissan NV200.
New for the 2021 Metris is Mercedes-Benz’s 9G-TRONIC nine-speed automatic gearbox, which is now standard across all variants. It replaces the old seven-speed auto shifter of the outgoing model, and it still comes with Dynamic Select driving programs like Sport and Comfort modes. Additionally, the new gearbox has a new manual mode, and you can toggle between the gears using the standard steering-mounted paddle shifters.
All variants of the 2021 Mercedes-Benz Metris remain powered by a turbocharged and direct-injected 2.0-liter four-cylinder gasoline engine – the same as the outgoing model. It still produces 208 horsepower and 258 pound-feet of torque, sending power to the rear wheels via its new nine-speed transmission.
Similar to the outgoing model, the new Metris will be sold in two wheelbase options. The standard variant has a 126-inch wheelbase, while the longer versions have a stretched 135-inch wheelbase. Meanwhile, the passenger variant has the same 126-inch wheelbase as the base cargo version and can be fitted with up to eight seats.
As such, the Metris can be optioned with a myriad of door and window configurations including a sliding passenger door, swing-out rear doors, and a rear liftgate. The cargo variant can be fitted with an optional plastic floor while some models have wooden floors. Regardless, the load compartment comes fitted with lashing rails on the sidewall and interior panels. The floor even has a rail system for easier load anchoring.
Style-wise, the new Metris is different from the outgoing model with a new front grille and optional painted bumpers. Customers have the option of choosing a chromed front grille with shiny louvers for a distinctive and more refined look. The expanded range of paint hues now includes two shades of gray (Graphite Gray and Selenite Gray) and a new Steel Blue paint job.
As expected from a Mercedes-Benz, the 2021 Metris is loaded with advanced safety kit. Standard equipment includes attention assist, headlamp assist, crosswind assist, tire pressure monitoring, trailer brake control, and hill start assist. For the first time, active brake assist and active distant assist DISTRONIC is available, while all trim models receive a digital rearview mirror for better rear visibility even when fully loaded with cargo or passengers.
Inside, Metris has a restyled dashboard with new ‘turbine’ air vents. The seat materials are also new, while the driver gets to fiddle with a 7-inch infotainment touchscreen display with Apple CarPlay, Android Auto, and Bluetooth connectivity. Meanwhile, the popular Metris Getaway Camper Van has privacy curtains, a pop-top roof, an integrated table, and optional solar panels among many others.
You can expect the new Mercedes-Benz Metris van to arrive at U.S. dealerships in mid-2021. Pricing will be announced next year, but we’re expecting the new Metris to cost more than its direct competitors in exchange for better versatility and enhanced refinement.
2021 Mercedes-Benz Metris Gallery
Porsche Taycan sets a Guinness World Record for drifting
Porsche has set a Guinness World Record for the longest drift using an electric vehicle. The EV the sports car maker used to set the record was the popular Porsche Taycan. The record was set at the Porsche Experience Center Hockenheimring.
Porsche instructor Dennis Retera did 210 laps drifting around a 200 meter-long drift circle to set the record. For the entire 210 laps, the front wheels never pointed in the same direction as the curve. After spending 55 minutes sideways around the track, the driver covered 42.171 kilometers.
That distance was enough to allow Retera to grab the world record for the longest continuous drift in an electric car. His average speed was 46 km/h, and a rear-wheel-drive Taycan was used, which is already available in China. Porsche did have to switch the driving stability program off and says that drifting the car was very easy once that was turned off.
The driver says that the vehicle had sufficient power to move around the circle sideways and was stable thanks to its low center of gravity and long wheelbase. Retera is currently the Chief Instructor at the Porsche Experience Center Hockenheimring. Previously, he was a competitor in carting, single-seat racecars, and endurance racing.
He says that it was tiring to keep his concentration high for 210 laps. He also said that the wet asphalt of the drip circuit doesn’t give the same grip everywhere, so he concentrated on controlling the drift with steering rather than the accelerator pedal to reduce the risk of spinning. Guinness World Record official Joanne Brent meticulously documented the record attempt. She’s been supervising record attempts for Guinness World Records for over five years. The video above shows parts of the record-setting run.
CDC celebrates Biden transition, expects “rebuilding,” more press briefings
Enlarge / The Centers for Disease Control and Prevention (CDC) headquarters stands in Atlanta, Georgia, on Saturday, March 14, 2020....
Twitter to relaunch account verifications in early 2021, asks for feedback on policy – TechCrunch
Twitter announced today it’s planning to relaunch its verification system in 2021, and will now begin the process of soliciting...
Instagram businesses and creators may be getting a Messenger-like ‘FAQ’ feature – TechCrunch
Instagram is developing a new product, Frequently Asked Questions (FAQ), that will allow people to start conversations with businesses or...
LEGO Technic Ferrari 488 GTE “AF Corse #51” set revealed for 2021
This week LEGO revealed one of the most extravagant LEGO Technic vehicles of the year. This is the LEGO Technic...
SpaceX Starlink engineers take questions in Reddit AMA—here are highlights
Enlarge / Starlink logo imposed on stylized image of the Earth. SpaceX Starlink engineers answered questions in a Reddit AMA...
Social10 months ago
CrashPlan for Small Business Review
Gadgets2 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Mobile2 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social2 years ago
iPhone XS priciest yet in South Korea
Cars2 years ago
What’s the best cloud storage for you?
Security2 years ago
Google latest cloud to be Australian government certified
Cars2 years ago
Some internet outages predicted for the coming month as ‘768k Day’ approaches
Social2 years ago
Apple’s new iPad Pro aims to keep enterprise momentum