Connect with us

Cars

New Cisco critical bugs: 9.8/10-severity Nexus security flaws need urgent update

Published

on

Cisco: DNS attacks will undermine trust in the internet
Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Cisco has revealed two more highly critical security bugs affecting its data-center software, a week after telling customers to patch core network-management products.  

The newly disclosed bugs affect Cisco’s Data Center Network Manager (DCNM) software and once again are in its web-based management interface. 

Both flaws can be exploited by anyone on the internet and are rated as critical, with severity ratings of 9.8 out of 10. 

SEE: 10 tips for new cybersecurity pros (free PDF)

DCNM is the network management system for all NX-OS systems that use Cisco’s Nexus hardware in data centers. The software is used to automate provisioning, troubleshooting, and spotting configuration errors. 

In other words, it’s a crucial piece of software for organizations that use Nexus switches, whose NX-OS operating system got patches for an equally severe flaw in May.    

The first issue, CVE-2019-1619, is an authentication bypass in DCNM’s web interface that allows an attacker to take a valid session cookie without knowing the admin user password. 

Attackers would need to send a specially crafted HTTP request to an undisclosed but specific web servlet on affected devices to get that session cookie. Should attackers gain the cookie, they’d be able to control the device with administrative privileges. 

Cisco has now excised that particular web servlet in DCNM software release 11.1(1). However, it had deprecated the servlet in release 11.0(1), meaning it had removed the attack vector in that version already. 

The company is urging customers to upgrade to DCNM software release 11.1(1), which it released in early May. Cisco urges customers to upgrade to 11.1(1) or later to address the issue. 

The second flaw would allow anyone on the internet to upload malicious files on the DCNM filesystem on affected devices. Again, this bug is due to an undisclosed but specific web servlet that Cisco removed completely in software release 11.2(1), which Cisco released in June.  

“The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could exploit this vulnerability by uploading specially crafted data to the affected device,” Cisco explained in its advisory for the bug CVE-2019-1620.  

“A successful exploit could allow the attacker to write arbitrary files on the filesystem and execute code with root privileges on the affected device.”

While customers on DCNM release 11.2(1) and later should be safe, Cisco notes that attackers targeting release 11.1(1) could gain unauthenticated access to the affected web servlet and exploit the flaw. In the 11.0(1) release, an attacker would need to be authenticated to the DCNM web interface to exploit it.

Both bugs were found by Pedro Ribeiro, who reported the bug through iDefense’s Vulnerability Contributor Program. Cisco said it is not currently aware of any attacks that exploit these bugs. 

More on Cisco and security

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Cars

Waymo recreated fatal crashes putting its software at the wheel – Here’s how it did

Published

on

Waymo is tackling the safety issue of autonomous vehicles head-on, using simulations to replay fatal crashes but replacing the human driver involved with the Alphabet company’s software, to show what the Waymo Driver would’ve done differently. The research looked at every fatal accident recorded in Chandler, Arizona – where the Waymo One driverless car-hailing service currently operates – between 2008 and 2017.

“We excluded crashes that didn’t match situations that the Waymo Driver would face in the real world today, such as when crashes occurred outside of our current operating domain,” Trent Victor, Director of Safety Research and Best Practices at Waymo, explains. “Then, the data was used to carefully reconstruct each crash using best-practice methods. Once we had the reconstructions, we simulated how the Waymo Driver might have performed in each scenario.”

In total, there were 72 different simulations that the system needed to handle. In those where there were two cars involved, Waymo modeled each in two ways. First, where the Waymo Driver was in control of the “initiator” vehicle, which initiated the crash, and then again with it as the “responder” vehicle, which responds to the initiator’s actions. That took the total to 91 simulations.

The Waymo Driver avoided every crash as initiator – a total of 52 simulations – Waymo says. That was mainly down to the computer following the rules of the road that human drivers in the actual crashes did not, such as avoiding speeding, maintaining a gap with other traffic, and not running through red lights or failing to yield appropriately.

On the flip side, where the Waymo Driver was the responder, it managed to avoid 82-percent of the crashes in the simulations. According to Waymo’s Victor, “in the vast majority of events, it did so with smooth, consistent driving – without the need to brake hard or make an urgent evasive response.”

In a further 10-percent of the simulations, the Waymo Driver was able to take action to mitigate the crash’s severity. There, the driver was 1.3-15x less likely to sustain a serious injury, Waymo calculates.

Finally, in the remaining 8-percent of crashes simulated, the Waymo Driver was unable to mitigate or avoid the impact. They were all situations where a human-operated vehicle struck the back of a Waymo vehicle that was stationary or moving at a constant speed, this “giving the Waymo Driver little opportunity to respond,” Victor explains.

That is equally important, Waymo argues, because when they finally launch in any significant number, autonomous vehicles are going to have to coexist with human drivers on the road for some time to come. Those human drivers can’t be counted on to follow the same rules as stringently as Waymo’s software demands.

Waymo has released a paper, detailing its findings. Part of the challenge for assessing autonomous vehicles, it argues, is that high-severity collisions are thankfully relatively rare in the real world. As such, “evaluating effectiveness in these scenarios through public road driving alone is not practical given the gradual nature of ADS deployments.”

Continue Reading

Cars

2022 Genesis G70 Launch Edition previews sport sedan refresh

Published

on

Genesis has revealed the new 2022 G70 Launch Edition, the first of the refreshed versions of its compact sports sedan to land in the US, looking handsome with the automaker’s striking new design language. Announced last October, Genesis’ smallest sedan will debut initially in the form of the limited-production 2022 G70 Launch Edition, with only 500 expected to be offered.

Where the old G70 had a squared-off fascia, this updated version is a lot softer in its angles. The bottom edge of the oversized shield-shaped front grille now comes to a point in the lower fascia, rather than being flat, while that lower grille section is more muscular and contoured.

It’s the headlamps, though, which are the biggest departure. They get Genesis’ new signature quad-LED element, with dual horizontal daytime running lamp lines on each side. It’s something we’ve seen the automaker put to good use on its larger sedans, and on SUVs like the new GV80.

Genesis says the new G70 is lower and wider at the front end, while the profile of the sedan is sharper, too. At the rear, the trunk lid has been smoothed out, with a more distinctive integrated spoiler. The taillamp clusters, meanwhile, have a more angular appearance, echoing the quad LED light signature at the front. Altogether it looks tidier and more focused than the outgoing car.

Inside, meanwhile, the changes are more subtle. The dashboard shape in general has been carried over, with dedicated HVAC control knobs, a physical transmission shifter, and a multifunction steering wheel. However there’s now a new 10.25-inch HD display atop the dashboard, replacing the old 8-inch version.

That gets the graphics from Genesis’ more recent models, a huge improvement compared to the Hyundai-donated software UI in the last-gen G70. There’s both Apple CarPlay and Android Auto, and the driver gets an 8-inch HD digital gauge cluster flanked by analog dials.

As for what’s under the hood, don’t expect a departure from the existing engines. That includes the optional 3.3-liter twin-turbo V6, with 365 horsepower. The entry engine is a carry-over of the 2.0-liter turbocharged inline-4, with 252 horsepower. An 8-speed automatic is likely to be standard; the six-speed manual gearbox Genesis once offered won’t be making an appearance.

Genesis will keep the options simple for the Launch Edition: it’ll only offer the sedan in Verbier White or Melbourne Grey matte paint. 19-inch black wheels will be standard, as will a red leather interior. Although you’ll be able to pick RWD or AWD, the G70 Launch Edition will only be offered with the more potent V6 engine, Car & Driver reports.

Pricing is yet to be confirmed, though the current G70 starts at just north of $37k. Reservations for the Launch Edition are open now, with the first cars set to arrive in the US come the spring.

Continue Reading

Cars

GMC Hummer EV SUV reveal dated: Watch the electric pickup go sideways on ice

Published

on

GMC will reveal its second Hummer EV variant in just a few weeks time, with the SUV version of the all-electric super truck promising an alternative body-style to the original pickup. The GMC Hummer EV SUV will be unveiled on April 3, the automaker confirmed today, though this isn’t the first time we’ve heard about the new version.

Back in July 2020, in fact, GMC teased what we could expect from the SUV body. As you might expect, it’s the same bold lines and chunky styling from the front back to roughly the C-pillars.

However unlike the pickup’s roughly 5 foot long bed, the SUV will have an enclosed cargo area. That will allow for a spare wheel to be mounted on the tailgate. We’re still expecting to see removable roof panels, allowing most of the top of the electric truck to be opened up, though final cargo capacity will have to wait until the official reveal.

As for what’s underneath the sheet metal, there we’re unlikely to see GMC straying too far from the architecture of the Hummer EV pickup. Based on GM’s Ultium platform for electric vehicles, that includes up to three motors and 1,000 horsepower in total, depending on trim. Torque vectoring – where power is individually controlled in its delivery to each rear wheel – and a “CrabWalk” mode that allows the trunk to track diagonally at low speeds in off-road or tight parking lot conditions are also supported.

0-60 mph should come in around 3 seconds for the most potent Hummer EV, GMC has said, while range will be up to around 350 miles on a charge. 800V DC fast charging with support for up to 350 kW should mean 100 miles of range added in just 10 minutes.

While GMC is launching the pickup version with the limited-availability 2022 Hummer EV Edition 1 first, it has more affordable versions planned for 2022 and beyond. That’s likely to be the same strategy the automaker takes with the electric SUV, with premium pricing and a heavily constrained supply to begin with. Reservations for the SUV will open on April 3, GMC has said.

As for progress on the electric pickup, GMC says it has been undertaking winter testing in Michigan’s Upper Peninsula, making ample use of the snow and ice to see how the all-wheel drive holds up. That also includes testing of the electronic stability control and traction control.

Production of the 2022 Hummer EV pickup is expected to begin in the fall, GMC says, with initial deliveries before the end of the year.

Continue Reading

Trending