Connect with us


Cisco: All these routers have the same embedded crypto keys, so update firmware



Cisco: DNS attacks will undermine trust in the internet
Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Security researchers have found that the firmware for several Cisco small-business routers contains numerous security issues.

The problems include hardcoded password hashes as well as static X.509 certificates with the corresponding public-private key pairs and one static Secure Shell (SSH) host key.

The static keys are embedded in the routers firmware and are used for providing HTTPS and SSH access to the affected routers. The issue means all devices with the affected firmware use the same keys. 

Cisco admits it was an oversight by its developers, but downplayed the seriousness of the error because the certificates and keys were never intended for shipping products. 

SEE: 10 tips for new cybersecurity pros (free PDF)

Researchers Stefan Viehböck and Thomas Weber of SEC Consult/IoT Inspector found the static certificates and keys in the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. 

Cisco, in an informational advisory, explains that the researchers found two static X.509 certificates with the corresponding public-private key pairs and one static SSH host key in the devices’ firmware. 

The certificates were used for testing purposes during the development of the firmware and were never used for live functionality in any shipping version of the products, according to Cisco. 

“The inclusion of these certificates and keys in shipping software was an oversight by the development team for these routers,” Cisco said. 

Meanwhile, Cisco explains that the presence of the static SSH host key was due to the Cisco-owned Tail-f Netconf ConfD package that’s included in the firmware. But Cisco says key-based SSH authentication isn’t supported in any shipping version of this firmware. 

The researchers also found a hardcoded password hash for the root user in the firmware. 

“An attacker with access to the base operating system on an affected device could exploit this issue to obtain root-level privileges. However, Cisco is not currently aware of a way to access the base operating system on these routers,” Cisco notes. 

Cisco says it removed the static certificates and keys and the hardcoded user account in firmware releases and later for the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers.

The two researchers found similar issues in the firmware for Cisco Small Business RV series routers RV016, RV042, RV042G, and RV082 Routers. 

In this case, there was an X.509 certificate with a corresponding public/private key pair that was issued to Taiwanese networking equipment maker QNO Technology. 

Again, Cisco says it was an oversight by the team that developed these routers and that the keys were never used for live functionality in shipping products, which instead used dynamically created certificates. 

Cisco fixed this issue in firmware release, which also includes a fix for a newly disclosed high-severity bug affecting the RV016, RV042, RV042G, and RV082 routers. 

This bug did warrant the tracking identifier CVE-2019-15271 and has a severity score of 8.8 out of 10. A bug in the web interface of the routers could allow a remote attacker who has authenticated to execute malicious commands with root privileges. 

SEE: Cisco unifies its collaboration tools on one platform

Admins must update the firmware since there is no workaround. However, Cisco advises that admins can disable the remote management feature if it’s not required for business. This disables the web interface. 

Cisco has also disclosed a command-injection vulnerability affecting the RV016, RV042, RV042G, RV082, RV320, and RV325 small-business routers.

It has also just detailed high-severity flaws affecting the Cisco Web Security Appliance, Cisco Wireless LAN Controller, the Webex Network Recording Player and Webex Player, the TelePresence Collaboration Endpoint, and the Cisco Prime Infrastructure and Evolved Programmable Network Manager. 

Details about these bugs and fixes can be found on Cisco’s security advisories page. 

More on Cisco and network security

  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • New Cisco critical bugs: 9.8/10-severity Nexus security flaws need urgent update
  • Cisco critical-flaw warning: These two bugs in our data-center gear need patching now
  • Cisco alert: Patch this dangerous bug open to remote attacks via malicious ads
  • Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear
  • Cisco’s warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches
  • Cisco warns over critical router flaw
  • Cisco: These are the flaws DNS hijackers are using in their attacks
  • Cisco bungled RV320/RV325 patches, routers still exposed to hacks
  • Cisco tells Nexus switch owners to disable POAP feature for security reasons
  • Cisco: Patch routers now against massive 9.8/10-severity security hole
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET

  • Source link

    Continue Reading


    This Brand Makes The Worst Android Phones, According To 27% Of People We Polled



    Most respondents who participated in our poll seem to earnestly believe that Xiaomi makes the worst Android phones out there. More than 27% of the polled users think Xiaomi deserves this particular crown. On the face of it, the poll results seem grossly unfair towards Xiaomi, given that the company doesn’t even sell its phones to U.S. consumers. There is no denying, however, that Xiaomi needs to do a lot to change its brand perception in the U.S. if they ever plan on releasing smartphones in North America (again, that is).

    With more than 21% of the votes, a virtually unknown smartphone brand for U.S. consumers comes in second place. The brand in question here is Realme — a sub-brand owned by OPPO. Realme is a very popular smartphone brand in Asia and is known mainly for its value-for-money devices that usually compete against similarly priced alternatives from Xiaomi.

    Another smartphone brand that is in desperate need of a brand overhaul is Google. More than 18% of polled people thought Google makes the worst Android phones. That’s a lot of brickbats for a company behind the software that powers Android phones. The less favorable opinion seems to stem from a long list of issues that troubled the Google Pixel lineup.

    Samsung and OnePlus find themselves in the last two places on this list with 17.23% and 15.54% of the votes, respectively. It could be that the other brands are simply less popular in the minds of U.S. citizens, or it could be that Samsung and OnePlus really and truly make the best Android phones — what do you think?

    Continue Reading


    Lincoln Model L100 Concept Is Hyper-Luxury Electrification With Wild Doors And A Disco Floor



    Certainly, the exterior of the Model L100 Concept is memorable. Lincoln describes it as “the tension between exuberant elegance and subtle restraint,” and it’s clear that aerodynamics have played a big role in deciding the overall silhouette. We’ve seen how that chase for slipperiness through the air can lead to electric cars looking like relatively amorphous blobs, though that’s something Lincoln manages to avoid.

    Instead, it plays with light, glass, and scale. The Model L100 Concept hunkers low to the ground, with a glass panoramic roof and reverse-hinged doors to add drama as well as make entering and exiting more straightforward. Sensors track the owner’s approach, meanwhile, with the promise of a curated light show both outside and inside. Then, the doors — which extend all the way back to the rear bumper — gape outward, while the entire glass roof section lifts up.

    The concept is finished with a satin digital ceramic tricot metallic paint, shifting between cool blue and soft white. Instead of the traditional chrome, frosted acrylic has been used as a more sustainable alternative. The whole floor of the cabin, meanwhile, is one big digital panel capable of showing shifting graphics, colors, and patterns. 

    Continue Reading


    Here’s How Drones Could Change The Medical Industry



    UKRI’s program also has major implications for the medical industry in particular, both in terms of its future sustainability as well as efficiency. University Hospitals of Morecambe Bay NHS Foundation Trust (UHMBT) Director Phil Woodford told BBC the Future Flight Challenge could help reduce traffic, pollution, and transport sensitive medical supplies, all at the same time. The project’s first phase will start with drones traveling between the Royal Lancaster Infirmary, Wesmorland, and Furness General Hospitals in Cumbria, using a dedicated 250ft airspace. Based on routes in Google Maps, the average driving distance of such trips more or less range from 20 to 40 miles.

    The thing is, current means of delivering medical samples in Lancashire involves traveling to different hospitals several times a day using vans, taxis and motorcycles. Compared to such rudimentary means of travel, which Woodford said takes an hour or more depending on traffic, using medical drones are said to shorten the overall trip to just 15 minutes. Woodford argued that medical drone deliveries can make the process faster, safer, and doesn’t put unnecessary load on drivers and the environment. While drones have proven to be quite handy in space, properly integrating them on Earth’s busier air space is another story. Fortunately, the project is building a roadmap to tackle just that.

    Continue Reading