Connect with us

Cars

Cisco’s warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches

Published

on

Cisco: DNS attacks will undermine trust in the internet
Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Cisco has revealed that its Nexus 9000 fabric switches have a critical flaw that could allow anyone to remotely connect to a vulnerable device using Secure Shell (SSH) and control it with root user privileges.

The company disclosed the bug on Tuesday and has given it a severity rating of 9.8 out of 10. 

The issue stems from SSH key management in the Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software. Cisco mistakenly put a default SSH key pair in the devices that an attacker could grab by connecting to the device over IPv6.

“An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user,” Cisco explains, noting it can’t be exploited over IPv4.  

SEE: 10 tips for new cybersecurity pros (free PDF)

The bug was found by external security researcher Oliver Matula from ERNW Enno Rey Netzwerke. 

There are no workarounds, so Cisco is encouraging customers to update the software. 

The bug affects the 9000 Series Fabric Switches in ACI mode if it is running Cisco NX-OS Software release before 14.1(1i).  

Cisco has fixes available for several other vulnerabilities acting the Nexus 9000 software, all of which affect systems running Cisco NX-OS Software release prior to 14.1(1i)  

ERNW’s Matula also reported a medium-severity path traversal flaw in the Nexus 9000 ACI mode software that would allow a local attacker with valid credentials to use ‘symbolic links’ to overwrite potentially sensitive system files.   

Another fix in Cisco NX-OS Software 14.1(1i) is a high-severity elevation of privilege flaw that allowed a local attacker with valid admin credentials for a device to execute arbitrary NX-OS commands as the root user. 

“The vulnerability is due to overly permissive file permissions of specific system files. An attacker could exploit this vulnerability by authenticating to an affected device, creating a crafted command string, and writing this crafted string to a specific file location,” Cisco explains.  

Pre-14.1(1i) NX-OS also wasn’t properly validating TLS client certificates sent between components of an ACI fabric. 

An attacker with a certificate that is trusted by the Cisco Manufacturing certificate authority and the corresponding private key could present a valid certificate while attempting to connect to the targeted device.  

“An exploit could allow the attacker to gain full control of all other components within the ACI fabric of an affected device,” Cisco notes. 

More on Cisco and security

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Cars

How To Back Up Your Mac To iCloud

Published

on

iCloud can come in clutch in a variety of situations. For example, you may not need to wrestle with Migration Assistant when setting up a new Mac if you’ve backed up all your important data to iCloud. However, there’s a reason Apple still puts Time Machine on every Mac the company sells: Time Machine backs up your Mac’s entire system, including all your apps and files. Not only that, but Time Machine also keeps a version history of every change you make to your Mac on an hourly and daily basis.

Depending on the sizes of both your Time Machine drive and your Mac’s internal storage drive, your Time Machine history could stretch back days, months, or even years. Time Machine can be a real lifesaver, too, if the developer of an app you use stops publishing it since you can always just reinstall it from your Time Machine backup. You almost can’t have too many backups of your important data, so there’s not much reason not to take advantage of both Time Machine and iCloud when protecting the files on your Mac. And since both options handle backups differently than the other, you’re not getting duplicate backups but rather a more expansive backup overall.

Continue Reading

Cars

Honda Prologue EV SUV Gets First Design Preview Ahead Of US Launch

Published

on

Honda has big ambitions for the Prologue, though we’ve expressed skepticism about the automaker’s projected sales targets in the past. Since then, of course, the world has changed considerable. The global fuel crisis — led in no small part by Russia’s invasion of Ukraine — has seen prices spike worldwide, and the car market could have taken on a much different shape by the time Honda’s EV finally hits the ground in 2024. As reported by The Washington Post on May 18, 2022, United States Treasury Secretary Janet Yellen stated that the cost of gasoline has increased by $4 across the country, and there’s no expectation for that to change any time soon.

That requires actually building EVs to meet demand, however, something every automaker has experienced issues with in the past few years. The impact of the ongoing COVID-19 pandemic on global supply chains has been considerable, and shows no signs of alleviating any time soon. Honda may have plenty of demand for the 2024 Prologue, then, but whether it can actually meet that remains uncertain. 

At least the dealerships themselves should be ready for the EV future, even if production lines aren’t necessarily at capacity. The early designs for the modular, charging station-equipped locations show a layout that Honda claims will scale according to the total number of EVs it actually sells. The automaker plans to roll out 30 different EV models by 2030, using not only Ultium but its own Honda e:Architecture, at which point it also expects to have sold a whopping 500,000 EVs overall.

Continue Reading

Cars

The Real Reason Michael Burry Bet Millions Against Apple

Published

on

Wright explains that Buffett is a long-term investor while Burry shorts stock on short-term plays. Buffett is not in the business of predicting company stock prices but invests in companies that he believes have business value down the road. Burry, on the other hand, is looking at what Apple stocks will do in the near future. Inflation, supply chain issues complicating the technology sector, China’s COVID-19 lockdowns, and the performance of NASDAQ are bound to affect Apple stock in the short term.

Burry has been open about his vision of the market, assuring that “the greatest speculative bubble of all time in all things” is inevitably leading to the “mother of all crashes” with investors piling up on cryptocurrencies (via Business Insider). Burry’s put options on Apple stocks give him the right (but not the obligation) to sell shares at a certain price, at a certain time. “If Apple doesn’t fall beneath a certain price by that time, the put options would expire worthless,” Billy Duberstein explains in a separate post for Fool.

Benzinga adds that Burry’s bearish position is valued at around $36 million if he exercises it. It is the largest position in his portfolio. Apple stock had a big run, quadrupling its stock price since early 2019. However, by May 2022, Apple stocks are down 20% year-to-date. The company from Cupertino saw a 16% drop in the stock price in this past quarter alone. Burry’s portfolio reveals his confidence in the U.S. market. He slashed it from 20 holdings to just six in the third quarter of 2021, with a value that dropped from $140 million to $42 million. In the fourth quarter, he swapped three of his remaining six holdings, lifting his portfolio to $74 million. “Short sellers on a stock have nothing, zero, zilch, nada, to do with the success or failure of the underlying business,” Burry tweeted on April 27.

Continue Reading

Trending