Security researchers have found that the firmware for several Cisco small-business routers contains numerous security issues.
The problems include hardcoded password hashes as well as static X.509 certificates with the corresponding public-private key pairs and one static Secure Shell (SSH) host key.
The static keys are embedded in the routers firmware and are used for providing HTTPS and SSH access to the affected routers. The issue means all devices with the affected firmware use the same keys.
Cisco admits it was an oversight by its developers, but downplayed the seriousness of the error because the certificates and keys were never intended for shipping products.
SEE: 10 tips for new cybersecurity pros (free PDF)
Researchers Stefan Viehböck and Thomas Weber of SEC Consult/IoT Inspector found the static certificates and keys in the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers.
Cisco, in an informational advisory, explains that the researchers found two static X.509 certificates with the corresponding public-private key pairs and one static SSH host key in the devices’ firmware.
The certificates were used for testing purposes during the development of the firmware and were never used for live functionality in any shipping version of the products, according to Cisco.
“The inclusion of these certificates and keys in shipping software was an oversight by the development team for these routers,” Cisco said.
Meanwhile, Cisco explains that the presence of the static SSH host key was due to the Cisco-owned Tail-f Netconf ConfD package that’s included in the firmware. But Cisco says key-based SSH authentication isn’t supported in any shipping version of this firmware.
The researchers also found a hardcoded password hash for the root user in the firmware.
“An attacker with access to the base operating system on an affected device could exploit this issue to obtain root-level privileges. However, Cisco is not currently aware of a way to access the base operating system on these routers,” Cisco notes.
Cisco says it removed the static certificates and keys and the hardcoded user account in firmware releases 1.5.1.05 and later for the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers.
The two researchers found similar issues in the firmware for Cisco Small Business RV series routers RV016, RV042, RV042G, and RV082 Routers.
In this case, there was an X.509 certificate with a corresponding public/private key pair that was issued to Taiwanese networking equipment maker QNO Technology.
Again, Cisco says it was an oversight by the team that developed these routers and that the keys were never used for live functionality in shipping products, which instead used dynamically created certificates.
Cisco fixed this issue in firmware release 126.96.36.199, which also includes a fix for a newly disclosed high-severity bug affecting the RV016, RV042, RV042G, and RV082 routers.
This bug did warrant the tracking identifier CVE-2019-15271 and has a severity score of 8.8 out of 10. A bug in the web interface of the routers could allow a remote attacker who has authenticated to execute malicious commands with root privileges.
SEE: Cisco unifies its collaboration tools on one platform
Admins must update the firmware since there is no workaround. However, Cisco advises that admins can disable the remote management feature if it’s not required for business. This disables the web interface.
Cisco has also disclosed a command-injection vulnerability affecting the RV016, RV042, RV042G, RV082, RV320, and RV325 small-business routers.
It has also just detailed high-severity flaws affecting the Cisco Web Security Appliance, Cisco Wireless LAN Controller, the Webex Network Recording Player and Webex Player, the TelePresence Collaboration Endpoint, and the Cisco Prime Infrastructure and Evolved Programmable Network Manager.
Details about these bugs and fixes can be found on Cisco’s security advisories page.
More on Cisco and network security
This Brand Makes The Worst Android Phones, According To 27% Of People We Polled
Most respondents who participated in our poll seem to earnestly believe that Xiaomi makes the worst Android phones out there. More than 27% of the polled users think Xiaomi deserves this particular crown. On the face of it, the poll results seem grossly unfair towards Xiaomi, given that the company doesn’t even sell its phones to U.S. consumers. There is no denying, however, that Xiaomi needs to do a lot to change its brand perception in the U.S. if they ever plan on releasing smartphones in North America (again, that is).
With more than 21% of the votes, a virtually unknown smartphone brand for U.S. consumers comes in second place. The brand in question here is Realme — a sub-brand owned by OPPO. Realme is a very popular smartphone brand in Asia and is known mainly for its value-for-money devices that usually compete against similarly priced alternatives from Xiaomi.
Another smartphone brand that is in desperate need of a brand overhaul is Google. More than 18% of polled people thought Google makes the worst Android phones. That’s a lot of brickbats for a company behind the software that powers Android phones. The less favorable opinion seems to stem from a long list of issues that troubled the Google Pixel lineup.
Samsung and OnePlus find themselves in the last two places on this list with 17.23% and 15.54% of the votes, respectively. It could be that the other brands are simply less popular in the minds of U.S. citizens, or it could be that Samsung and OnePlus really and truly make the best Android phones — what do you think?
Lincoln Model L100 Concept Is Hyper-Luxury Electrification With Wild Doors And A Disco Floor
Certainly, the exterior of the Model L100 Concept is memorable. Lincoln describes it as “the tension between exuberant elegance and subtle restraint,” and it’s clear that aerodynamics have played a big role in deciding the overall silhouette. We’ve seen how that chase for slipperiness through the air can lead to electric cars looking like relatively amorphous blobs, though that’s something Lincoln manages to avoid.
Instead, it plays with light, glass, and scale. The Model L100 Concept hunkers low to the ground, with a glass panoramic roof and reverse-hinged doors to add drama as well as make entering and exiting more straightforward. Sensors track the owner’s approach, meanwhile, with the promise of a curated light show both outside and inside. Then, the doors — which extend all the way back to the rear bumper — gape outward, while the entire glass roof section lifts up.
The concept is finished with a satin digital ceramic tricot metallic paint, shifting between cool blue and soft white. Instead of the traditional chrome, frosted acrylic has been used as a more sustainable alternative. The whole floor of the cabin, meanwhile, is one big digital panel capable of showing shifting graphics, colors, and patterns.
Here’s How Drones Could Change The Medical Industry
UKRI’s program also has major implications for the medical industry in particular, both in terms of its future sustainability as well as efficiency. University Hospitals of Morecambe Bay NHS Foundation Trust (UHMBT) Director Phil Woodford told BBC the Future Flight Challenge could help reduce traffic, pollution, and transport sensitive medical supplies, all at the same time. The project’s first phase will start with drones traveling between the Royal Lancaster Infirmary, Wesmorland, and Furness General Hospitals in Cumbria, using a dedicated 250ft airspace. Based on routes in Google Maps, the average driving distance of such trips more or less range from 20 to 40 miles.
The thing is, current means of delivering medical samples in Lancashire involves traveling to different hospitals several times a day using vans, taxis and motorcycles. Compared to such rudimentary means of travel, which Woodford said takes an hour or more depending on traffic, using medical drones are said to shorten the overall trip to just 15 minutes. Woodford argued that medical drone deliveries can make the process faster, safer, and doesn’t put unnecessary load on drivers and the environment. While drones have proven to be quite handy in space, properly integrating them on Earth’s busier air space is another story. Fortunately, the project is building a roadmap to tackle just that.
This Brand Makes The Worst Android Phones, According To 27% Of People We Polled
Most respondents who participated in our poll seem to earnestly believe that Xiaomi makes the worst Android phones out there....
DoorDash is ending its delivery partnership with Walmart – TechCrunch
DoorDash is ending its partnership with Walmart after more than four years of delivering the retail giant’s products to customers....
Rivian has dropped its cheapest trim level due to low customer demand – TechCrunch
Rivian is discontinuing the cheapest trim level of its all-electric truck and SUV known as the Explore package due to...
Kia EV6 GT Packs 576 Electric Horses And A Drift Mode
You might not associate Kia with performance vehicles, but with 576 horsepower on tap, the new EV6 GT unveiled during...
Scientists are figuring out how to destroy “forever chemicals”
Enlarge / How long do we really need chemicals to last? PFAS chemicals seemed like a good idea at first....
Social4 months ago
Web.com website builder review
Social3 years ago
CrashPlan for Small Business Review
Gadgets4 years ago
A fictional Facebook Portal videochat with Mark Zuckerberg – TechCrunch
Cars4 years ago
What’s the best cloud storage for you?
Mobile4 years ago
Memory raises $5M to bring AI to time tracking – TechCrunch
Social4 years ago
iPhone XS priciest yet in South Korea
Security4 years ago
Google latest cloud to be Australian government certified
Social4 years ago
Apple’s new iPad Pro aims to keep enterprise momentum