Connect with us

Cars

Cisco’s warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches

Published

on

Cisco: DNS attacks will undermine trust in the internet
Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Cisco has revealed that its Nexus 9000 fabric switches have a critical flaw that could allow anyone to remotely connect to a vulnerable device using Secure Shell (SSH) and control it with root user privileges.

The company disclosed the bug on Tuesday and has given it a severity rating of 9.8 out of 10. 

The issue stems from SSH key management in the Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software. Cisco mistakenly put a default SSH key pair in the devices that an attacker could grab by connecting to the device over IPv6.

“An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user,” Cisco explains, noting it can’t be exploited over IPv4.  

SEE: 10 tips for new cybersecurity pros (free PDF)

The bug was found by external security researcher Oliver Matula from ERNW Enno Rey Netzwerke. 

There are no workarounds, so Cisco is encouraging customers to update the software. 

The bug affects the 9000 Series Fabric Switches in ACI mode if it is running Cisco NX-OS Software release before 14.1(1i).  

Cisco has fixes available for several other vulnerabilities acting the Nexus 9000 software, all of which affect systems running Cisco NX-OS Software release prior to 14.1(1i)  

ERNW’s Matula also reported a medium-severity path traversal flaw in the Nexus 9000 ACI mode software that would allow a local attacker with valid credentials to use ‘symbolic links’ to overwrite potentially sensitive system files.   

Another fix in Cisco NX-OS Software 14.1(1i) is a high-severity elevation of privilege flaw that allowed a local attacker with valid admin credentials for a device to execute arbitrary NX-OS commands as the root user. 

“The vulnerability is due to overly permissive file permissions of specific system files. An attacker could exploit this vulnerability by authenticating to an affected device, creating a crafted command string, and writing this crafted string to a specific file location,” Cisco explains.  

Pre-14.1(1i) NX-OS also wasn’t properly validating TLS client certificates sent between components of an ACI fabric. 

An attacker with a certificate that is trusted by the Cisco Manufacturing certificate authority and the corresponding private key could present a valid certificate while attempting to connect to the targeted device.  

“An exploit could allow the attacker to gain full control of all other components within the ACI fabric of an affected device,” Cisco notes. 

More on Cisco and security

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Cars

BMW iX5 Hydrogen Production Starts, But Don’t Expect To See This Fuel-Cell SUV In Dealerships

Published

on

The reality, though, is that even with a small number of BMW iX5 Hydrogen SUVs being produced — using individual fuel-cells supplied by Toyota, but assembled into a stack by BMW using the automaker’s own processes and technologies — the expectation is that hydrogen as a fuel will be predominantly of interest to non-passenger vehicles. Instead, it arguably makes the most sense, BMW suggests, for larger vehicles like medium- to heavy-duty trucks, along with the marine and aviation sectors. We’ve already seen Toyota reveal its plans for such an FCEV truck.

Despite that, and an acknowledgment that battery-electric vehicles will undoubtedly lead in the mainstream, BMW still believes there’s a place for FCEVs. After all, the automaker argues, if the infrastructure is being built to cater for trucks, there’s no reason not to also use it for passenger vehicles like the iX5 Hydrogen.

The results of the small-series production beginning today will be used as technology demonstrators across select regions from spring 2023, BMW says. It’s unclear at this point how many will be built. Depending on the reception and the strengths of the technology, series production of a first model could follow mid-decade, ahead of a potential full portfolio of BMW FCEVs from the 2030s onwards.

Continue Reading

Cars

Tesla Set To Deliver The First Semi To Pepsi

Published

on

In October, Tesla’s CEO revealed that the production of the Tesla Semi had begun, and it was bound to be delivered today. Tesla has already started the countdown, and we expect the unveiling event to go down at the Nevada factory. The electric truck will be dispatched to Pepsi, which had ordered 100 units. Investor reports that Tesla’s stock price increased by 7.7% on Wednesday, probably in anticipation of Tesla’s Semi first delivery.

Musk tweeted on Saturday that the “Tesla team just completed a 500-mile drive with a Tesla Semi weighing in at 81,000 lbs!” However, considering that Musk said that the company is dealing with supply chain issues and market inflation, it’s unclear if Tesla will stick to the original $180,000 price it intended to sell at when it was announced in 2017. Then again, Tesla offers a cheaper Semi that will be available for about $150,000 — but it can only achieve up to 300 miles at full load capacity. For now, we can only wait until it’s on the road to confirm if the specs match up to what was promised five years ago.  

Continue Reading

Cars

Coinbase Joins Elon Musk In Slamming The Apple App Store Tax

Published

on

Coinbase complained that Apple’s insistence on its cut unreasonably interfered with its business.

Coinbase’s argument was largely the same as Elon Musk’s, and the basis of Epic Games’ aforementioned lawsuit. According to all of the above, Apple was half of a duopoly: with Google, it controlled the global app marketplace. The “duopoly” part of the argument is pretty much incontrovertible: As of October 2022, both Apple and Google control 99.43% of the global smartphone market between them (via StatCounter). Both get a 30% cut of everyone’s action on its marketplace. From the perspective of Coinbase, that took too much money out of too many elements of its business.

Epic sued over that and, as noted above, won with an asterisk. Apple had restricted in-app purchases, and courts found that anticompetitive, but did require that Apple get a 30% cut of the profits, even though they took place in someone else’s app. In short, according to the Verge, the court said that if you’ve found a way to make money using iOS, you owe Apple 30%, period.

Epic thought in-app purchases should be exempted from the tax. Coinbase thinks elements of the NFT development process — in this case, gas prices to run the processing equipment necessary to mint NFTs — should be exempt from Apple’s app tax. Apple treats all user expenses on an app as in-app purchases and, per the Epic court decision, in-app purchases mean Apple gets a cut.

It’s not a simple problem, and it’s not likely to be solved anytime soon. Stakeholders and regulators have barely begun to integrate cryptocurrency and NFTs into the conventional marketplace. Who gets paid for what is likely to be a conversation for years on end. For now, all that’s certain is that conversation has begun.

Continue Reading

Trending