Connect with us

Cars

Cisco’s warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches

Published

on

Cisco: DNS attacks will undermine trust in the internet
Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Cisco has revealed that its Nexus 9000 fabric switches have a critical flaw that could allow anyone to remotely connect to a vulnerable device using Secure Shell (SSH) and control it with root user privileges.

The company disclosed the bug on Tuesday and has given it a severity rating of 9.8 out of 10. 

The issue stems from SSH key management in the Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software. Cisco mistakenly put a default SSH key pair in the devices that an attacker could grab by connecting to the device over IPv6.

“An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user,” Cisco explains, noting it can’t be exploited over IPv4.  

SEE: 10 tips for new cybersecurity pros (free PDF)

The bug was found by external security researcher Oliver Matula from ERNW Enno Rey Netzwerke. 

There are no workarounds, so Cisco is encouraging customers to update the software. 

The bug affects the 9000 Series Fabric Switches in ACI mode if it is running Cisco NX-OS Software release before 14.1(1i).  

Cisco has fixes available for several other vulnerabilities acting the Nexus 9000 software, all of which affect systems running Cisco NX-OS Software release prior to 14.1(1i)  

ERNW’s Matula also reported a medium-severity path traversal flaw in the Nexus 9000 ACI mode software that would allow a local attacker with valid credentials to use ‘symbolic links’ to overwrite potentially sensitive system files.   

Another fix in Cisco NX-OS Software 14.1(1i) is a high-severity elevation of privilege flaw that allowed a local attacker with valid admin credentials for a device to execute arbitrary NX-OS commands as the root user. 

“The vulnerability is due to overly permissive file permissions of specific system files. An attacker could exploit this vulnerability by authenticating to an affected device, creating a crafted command string, and writing this crafted string to a specific file location,” Cisco explains.  

Pre-14.1(1i) NX-OS also wasn’t properly validating TLS client certificates sent between components of an ACI fabric. 

An attacker with a certificate that is trusted by the Cisco Manufacturing certificate authority and the corresponding private key could present a valid certificate while attempting to connect to the targeted device.  

“An exploit could allow the attacker to gain full control of all other components within the ACI fabric of an affected device,” Cisco notes. 

More on Cisco and security

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Cars

The Experimental Honda Business Jet With A Strange Turbofan Design

Published

on

While most small aircraft are made out of a combination of aluminum and fiberglass, the MH02 was the first ever all-composite jet, meaning that all structural components of the jet were made out of a carbon fiber-epoxy resin material. The carbon fiber wonder was just under 37 feet long and had a wingspan of over 36 feet. Its two aforementioned turbofans pumped out a combined 2,464 pounds of thrust, allowing it to reach speeds of 353 knots (or 406 miles per hour).

Unconventional design notwithstanding, the MH02 never saw the light of day or real production aside from the prototype. Honda never intended the MH02 to take to the sky as a production jet and its sole purpose was to act as a test bed for Honda’s flight-related projects. The MH02 wasn’t going to win many prizes in the looks department, but the data collected during its flight proved to be invaluable to the future HondaJet. It showed that the company responsible for making the Honda Accord was capable of making a feasible passenger jet, further cementing Honda’s reputation as the producer of just about anything that has an engine, turbofan or otherwise. 

[Featured image by Morio via Wikimedia Commons | Cropped and scaled | CC BY-SA 3.0]

Continue Reading

Cars

iPhone 15’s Potential Charging Limits May Bring Trouble For Apple

Published

on

Given that Apple has yet to officially confirm or deny the possibility of its lower-priced iPhones getting slower charging speeds, the IMCO hasn’t discussed a possible regulatory intervention. IMCO’S major bone of contention is the possibility of Apple implementing a feature that would only allow official Apple USB-C accessories to be used with USB-C iPhones — thereby locking out competing products.

At this point, the IMCO seems unaware of Apple’s MFI (Made for iPhone) program, which allows third-party accessory makers to design and manufacture iPhone accessories that conform to Apple’s strict quality standards. Apple claims the MFI certification acts as a quality seal and prevents users from ending up with poor-quality devices that could potentially damage its products. However, Apple’s intentions behind the MFI program aren’t entirely noble, given that the company earns a small commission from the sale of each MFI-certified accessory.

At this point, the IMCO sees these rumored restrictions as an anti-competitive move that completely violates consumer rights. It remains to be seen if the two parties are able to settle these differences before the launch of the iPhone 15 series in September this year.

Continue Reading

Cars

Hyundai And KIA To Offer Free Steering Wheel Locks To Combat Viral TikTok Thefts

Published

on

The robberies started as a viral TikTok challenge where thieves, predominantly young boys who choose to be distinguished as the “KIA Boys,” have been hotwiring certain KIA and Hyundai car models using a USB cable. This is because the plagued models lack a crucial component called an ignition immobilizer, responsible for cutting off the fuel supply to the engine in case someone attempts to start the car without the actual key.

Due to the viral TikTok trend, several thieves have joined in to carjack the affected models and spread the word further. Most of these models affected by the flaw use mechanical keys and not smart key fobs.

Incidentally, many insurance companies “temporarily” stopped offering coverage for the affected models owing to their lack of anti-theft features. Despite warnings from several state and city police departments, there is no national tally of the number of robberies since the trend went viral. But in January 2023, Progressive, one of the leading insurance companies, told CNN that these vehicles were 20 times more likely to be stolen. It was one of the companies to limit the sale of new policies for the affected vehicles.

Continue Reading

Trending