Connect with us

Cars

Cisco: All these routers have the same embedded crypto keys, so update firmware

Published

on

Cisco: DNS attacks will undermine trust in the internet
Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Security researchers have found that the firmware for several Cisco small-business routers contains numerous security issues.

The problems include hardcoded password hashes as well as static X.509 certificates with the corresponding public-private key pairs and one static Secure Shell (SSH) host key.

The static keys are embedded in the routers firmware and are used for providing HTTPS and SSH access to the affected routers. The issue means all devices with the affected firmware use the same keys. 

Cisco admits it was an oversight by its developers, but downplayed the seriousness of the error because the certificates and keys were never intended for shipping products. 

SEE: 10 tips for new cybersecurity pros (free PDF)

Researchers Stefan Viehböck and Thomas Weber of SEC Consult/IoT Inspector found the static certificates and keys in the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers. 

Cisco, in an informational advisory, explains that the researchers found two static X.509 certificates with the corresponding public-private key pairs and one static SSH host key in the devices’ firmware. 

The certificates were used for testing purposes during the development of the firmware and were never used for live functionality in any shipping version of the products, according to Cisco. 

“The inclusion of these certificates and keys in shipping software was an oversight by the development team for these routers,” Cisco said. 

Meanwhile, Cisco explains that the presence of the static SSH host key was due to the Cisco-owned Tail-f Netconf ConfD package that’s included in the firmware. But Cisco says key-based SSH authentication isn’t supported in any shipping version of this firmware. 

The researchers also found a hardcoded password hash for the root user in the firmware. 

“An attacker with access to the base operating system on an affected device could exploit this issue to obtain root-level privileges. However, Cisco is not currently aware of a way to access the base operating system on these routers,” Cisco notes. 

Cisco says it removed the static certificates and keys and the hardcoded user account in firmware releases 1.5.1.05 and later for the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers.

The two researchers found similar issues in the firmware for Cisco Small Business RV series routers RV016, RV042, RV042G, and RV082 Routers. 

In this case, there was an X.509 certificate with a corresponding public/private key pair that was issued to Taiwanese networking equipment maker QNO Technology. 

Again, Cisco says it was an oversight by the team that developed these routers and that the keys were never used for live functionality in shipping products, which instead used dynamically created certificates. 

Cisco fixed this issue in firmware release 4.2.3.10, which also includes a fix for a newly disclosed high-severity bug affecting the RV016, RV042, RV042G, and RV082 routers. 

This bug did warrant the tracking identifier CVE-2019-15271 and has a severity score of 8.8 out of 10. A bug in the web interface of the routers could allow a remote attacker who has authenticated to execute malicious commands with root privileges. 

SEE: Cisco unifies its collaboration tools on one platform

Admins must update the firmware since there is no workaround. However, Cisco advises that admins can disable the remote management feature if it’s not required for business. This disables the web interface. 

Cisco has also disclosed a command-injection vulnerability affecting the RV016, RV042, RV042G, RV082, RV320, and RV325 small-business routers.

It has also just detailed high-severity flaws affecting the Cisco Web Security Appliance, Cisco Wireless LAN Controller, the Webex Network Recording Player and Webex Player, the TelePresence Collaboration Endpoint, and the Cisco Prime Infrastructure and Evolved Programmable Network Manager. 

Details about these bugs and fixes can be found on Cisco’s security advisories page. 

More on Cisco and network security

  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • New Cisco critical bugs: 9.8/10-severity Nexus security flaws need urgent update
  • Cisco critical-flaw warning: These two bugs in our data-center gear need patching now
  • Cisco alert: Patch this dangerous bug open to remote attacks via malicious ads
  • Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear
  • Cisco’s warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches
  • Cisco warns over critical router flaw
  • Cisco: These are the flaws DNS hijackers are using in their attacks
  • Cisco bungled RV320/RV325 patches, routers still exposed to hacks
  • Cisco tells Nexus switch owners to disable POAP feature for security reasons
  • Cisco: Patch routers now against massive 9.8/10-severity security hole
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET


  • Source link

    Continue Reading

    Cars

    2022 Land Rover Defender V8 brings 518hp to SUV icon

    Published

    on

    Land Rover has revealed its new 2022 Defender V8, adding a much-requested engine upgrade for the SUV, along with new special editions. Returning to the US for the first time in decades last year, the new Defender combines retro-inspired styling with the sort of off-road abilities you’d expect from what’s arguably the automaker’s most enduring nameplate.

    While initial reviews – ours included – were generally positive, one omission was under the hood. Land Rover launched the Defender with a pair of inline-six engines as the biggest on offer, not exactly slow but also not having that V8 grunt that some fans of the SUVs really wanted. Happily, it’s being corrected for the new 2022 model year.

    2022 Land Rover Defender 90 V8 and 110 V8

    The 2022 Defender V8 will have a 5.0-liter supercharged V8, with 518 horsepower and 461 lb-ft of torque. It’ll be offered in both the Defender 110 and Defender 90 body styles – with five and three doors, respectively – with the latter doing 0-60 mph in 4.9 seconds and on to a top speed of 149 mph. That’ll make it the fastest and most powerful production Defender ever, Land Rover says.

    As you’d expect, all-wheel drive is standard, along with special suspension and transmission tuning. There’s a new Electronic Active Rear Differential which the automaker says should deliver improvements in handling and body control, and an eight-speed automatic transmission. A new Dynamic program in the Terrain Response system will be exclusive to the V8 SUVs, intended for more spirited driving on asphalt and loose surfaces.

    Helping there, there’ll be larger solid anti-roll bars, and retuned Continuously Variable Damping. Torque vectoring with braking is supported, with Land Rover fitting Xenon Blue front brake calipers for the 15-inch front discs. V8-exclusive 22-inch alloy wheels and quad tailpipes will also be offered, and there’ll be three colors – Carpathian Grey and Yulong White, both with a contrast Narvik Black roof, and Santorini Black – with Shadow Atlas exterior trim detailing.

    Inside, there’ll be special Ebony Windsor Leather with Mike Suedecloth and Robustec accents. The exposed cross-car beam running along the dashboard will be finished in Satin Black. The steering wheel gets Alcantara on the rim and satin chrome paddle-shifters, along with leather on the airbag housing that matches the gear selector trim. Finally, the illuminated tread plates have V8 badging.

    Pricing for the 2022 Defender V8 will be confirmed closer to the SUV’s arrival in US dealerships. That’ll happen later in the year.

    2022 Defender V8 Carpathian Edition

    Marking the arrival of the V8 option is the 2022 Defender V8 Carpathian Edition. It’ll be the flagship of the line-up, in exclusive Carpathian Grey premium metallic paint with a Narvik Black contrast roof, hood, and tailgate. Satin Black tow eyes, Carpathian Gloss front and rear skid pans and front grille bar, and Xenon Blue brake calipers will also set it apart.

    Land Rover Satin Protective Film will give the exterior a semi-matte finish but also help protect from scrapes. Inside, it’ll be the same as the regular V8 SUV. Pricing will be confirmed closer to launch.

    2022 Defender XS Edition

    Replacing the Defender First Edition, the 2022 Defender XS Edition will also be offered in 110 and 90 body styles. It has body-colored lower cladding and lower wheel arches, with 20-inch, contrast diamond-turned alloy wheels finished in Satin Grey. Land Rover will offer it in four colors: Silicon Silver, Hakuba Silver, Gondwana Stone, and Santorini Black. Pricing will be confirmed closer to launch.

    Inside, there are 12-way, heated and cooled electric memory seats in Ebony Grained leather and Robust Woven Textile. The Cross Car Beam has a Light Grey powder coat brushed finish, and Land Rover has added the extended leather package with illuminated metal treadplates.

    For other specs, there’s the P400 mild-hybrid engine with 395 hp and 406 lb-ft of torque, electronic air suspension, adaptive dynamics, tri-zone climate control, and adaptive cruise control. It also features the updated Pivi Pro infotainment system, which is new for the 2022 model year. That has wireless device charging with a phone signal booster, plus can be had with a larger 11.4-inch touchscreen with curved glass.

    Land Rover has simplified the menu structure, and there’s new navigation with dynamic guidance. Intelligent route learning promises to figure out your common routes and propose them – complete with adjustments for traffic – when you get into the car.

    Still to come, more Land Rover Defender electrification

    What Land Rover isn’t telling us, yet, is when the Defender will get its more serious electrification. The automaker has promised six pure electric variants across its range within the next five years, with a pure electric version of the Defender by the end of the decade.

    Continue Reading

    Cars

    Fisker and Foxconn team on new EV with outsized ambitions

    Published

    on

    Fisker and Foxconn are teaming up on an an electric vehicle, with the EV-company and the manufacturing heavyweight aiming for go far beyond the niche production in the automaker’s past. Codenamed Project PEAR – or “Personal Electric Automotive Revolution” – the goal is to make a more affordable EV that can hit the sort of sales numbers more commonplace among mainstream gas models.

    Fisker is probably best known for its role in the style-forward Karma hybrid sedan, a project now being run independently by Karma Automotive. Plans rebooted, Fisker first unveiled the EMotion EV back in 2018, a striking luxury electric sedan with double-gullwing doors.

    Production for that, though, was put on the back-burner, as Fisker turned instead to more affordable, mainstream fare. The Fisker Ocean is promised to be a sub-$40k electric SUV, with the car company inking a deal with auto parts behemoth Magna to build the plug-in. Manufacturing is expected to begin in Q4 2022, and even without a production-ready prototype shown – something Fisker says will happen later this year – there are apparently upwards of 12k paid reservations for the car.

    One vehicle does not an automaker make, though, and so Fisker is looking to its next model. That’ll be jointly developed by it and Foxconn, sold under the Fisker brand, and included as part of Fisker’s Flexee Lease program. Foxconn will be responsible for manufacturing, bringing the same heft that powers iPhone production to automotive.

    Project PEAR – details on which are scant, currently – will be “destined for multiple global markets” Fisker said today. Production is currently earmarked for Q4 2023, and it’ll be the second EV in Fisker’s range.

    Fisker’s ambitions aren’t exactly low. The expectation is that it’ll take just 24 months to develop the car, including research and development, and becoming production-ready. That’s about half the time most automakers would expect to take. Foxconn hasn’t been shy about its EV hopes in the past, either, already cutting deals with Byton and Fiat Chrysler in the past on electric vehicle technology.

    “The key success elements of electric vehicle development include the electric motor, electric control module and battery,” Young-way Liu, Foxconn Technology Group Chairman, said today in a statement. “We have two major advantages in this regard, with an exceptional vertically integrated global supply chain and the best supply chain management team in our industry.”

    Discussions are underway between the firms, with a formal partnership expected to be signed in Q2 2021. The two firms are aiming high, too, with projected 250,000 annual volume of the vehicle. Exactly what it will look like, cost, how much range it might pack, where it will launch, and other details are still in short supply: Fisker’s design inspiration sketch would seem to imply a crossover of some sort, a sensible choice given the skew of sales right now toward that category.

    Continue Reading

    Cars

    2021 Mitsubishi Outlander PHEV has more range, more power, and a lower base price

    Published

    on

    That’s right. Mitsubishi will continue selling the 2021 Outlander PHEV alongside the all-new, Rogue-based 2022 Outlander. The Japanese carmaker is burning the midnight oil in conceptualizing a new plug-in hybrid (PHEV) based on the new model, but Mitsubishi is not leaving anything to chance.

    The carmaker is making sure it has a crossover PHEV in its lineup for customers, and is the reason why you’ll find the 2021 Outlander PHEV together with the new 2022 Outlander in Mitsubishi showrooms.

    Nevertheless, Mitsubishi’s making sure you get the most bang for your buck in the 2021 Outlander PHEV. It starts with a more robust and fuel-efficient 2.4-liter four-cylinder gas engine producing 126 horsepower and 148 pound-feet of torque. Next, the previous 60 kW rear-mounted electric motor makes way for a more potent 70 kW unit.

    As expected, the power figures are quite generous for a midsize crossover. The 2021 Mitsubishi Outlander PHEV’s advanced hybrid powertrain pumps out 221 horsepower, 31 more horses than the outgoing model. It also has a more significant 13.8 kWh battery pack (the old model had a 12.0 kWh battery), boosting the all-electric range from 22 to 24 miles.

    Admittedly, the 2-miles range boost is small by modern EV standards. But for most people, it’s enough to cover a trip to a grocery or convenience store without burning a drop of fuel. And since the new Outlander PHEV has a better range, it now qualifies for larger tax incentives depending on where you live.

    Sold in three trim models, the base 2021 Outlander PHEV SEL-AWC starts at $37,490 (including $1,195 destination fees). It now qualifies for up to $6,587 in federal incentives, increasing around $750 over the old model, further lowering the MSRP.

    Meanwhile, the Outlander PHEV LE S-AWC has base prices starting at $39,190, while the range-topping GT S-AWC model starts at $43,190 before federal and state credits. The former adds a blacked-out grille, a sunroof, bespoke 18-inch alloy wheels, and blacked-out bumpers. The good news? Mitsubishi’s Outlander PHEV is available to order now.

    Continue Reading

    Trending