Connect with us


Seriously? Cisco put Huawei X.509 certificates and keys into its own switches



Cisco: DNS attacks will undermine trust in the internet
Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Cisco has disclosed a bunch of vulnerabilities in its networking equipment, including one embarrassing bug that put the West’s tech boogeyman inside the US firm’s kit. 

Cisco is telling customers to apply updates for 18 high- and medium-severity vulnerabilities in its products, plus one curious bug it labels ‘informational‘ that affects its Small Business 250, 350, 350X, and 550X Series Switches. 

The bugs in these switches are not serious enough to get its own CVE identifier, but they do provide a lesson in the well-known risks of using third-party open-source components in products without running proper security checks on them.     

Researchers at SEC Technologies, the IoT division of security firm SEC Consult, were using its IoT Inspector bug-hunting software to probe firmware images of Cisco’s Small Business 250 Series Switches and found they contained digital certificates and keys issued to Futurewei Technologies. 

Futurewei Technologies is the US-based R&D arm of Huawei. Apparently in response to the US ban on Huawei using US tech, the research division is reportedly planning to separate from the Chinese mothership, and has also banned Huawei workers from its offices, dropped the Huawei logo, and created its own separated IT system for staff.   

But the question is why would a US tech giant like Cisco, which has sued Huawei over patents, put its Chinese rival’s certificates and keys into its own switches? 

The answer, oddly, is that Cisco developers were using a Huawei-made open-source package during testing and forgot to remove certain components.  

“We noticed Huawei certificates being used in the firmware. And given the political controversy we didn’t want to speculate any further,” Florian Lukavsky, CEO of SEC Technologies, told ZDNet.  

The certificates were part of a test package of an open-source component called OpenDaylight. It contained some test scripts and data, which included the Huawei-issued certificates. 

OpenDaylight is an open-source project focused on software-defined networking that includes Cisco, Huawei, and other major networking companies.

“This is how the certificates ended up in the firmware. They were used in testing by Cisco developers and they simply forgot to remove the certificates before shipping it to the devices,” said Lukavsky. 

He added that the certificates were not actively being used and were only present on the file system. 

“Our research and Cisco’s research didn’t turn up any indication that the issue would cause any threat to clients. But Cisco also removed some unnecessary software packages and updated components where we had identified vulnerabilities,” he said. 

The files included certificates and keys issued to Future, empty password hashes, unnecessary software packages, and several security flaws, according to Cisco’s advisory.  

Cisco offered this explanation for the situation: 

An X.509 certificate with the corresponding public/private key pair and the corresponding root CA certificate were found in Cisco Small Business 250 Series Switches firmware. SEC Consult calls this the ‘House of Keys’. Both certificates are issued to third-party entity Futurewei Technologies, a Huawei subsidiary.

The certificates and keys in question are part of the Cisco FindIT Network Probe that is bundled with Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware. These files are part of the OpenDaylight open source package. Their intended use is to test the functionality of software using OpenDaylight routines. 

The Cisco FindIT team used those certificates and keys for their intended testing purpose during the development of the Cisco FindIT Network Probe; they were never used for live functionality in any shipping version of the product. All shipping versions of the Cisco FindIT Network Probe use dynamically created certificates instead. 

The inclusion of the certificates and keys from the OpenDaylight open-source package in shipping software was an oversight by the Cisco FindIT development team.

Cisco has removed those certificates and associated keys from FindIT Network Probe software and Small Business 250, 350, 350X, and 550X Series Switches firmware starting with the releases listed later in this advisory.

More on Cisco and security

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.


Today’s Wordle Answer #472 – October 4, 2022 Solution And Hints



The answer to today’s Wordle puzzle (#472 – October 4, 2022) is bough, which is what you call a branch, especially the main branch, of a tree. The word bough has roots (no pun intended) in the Old English word “bōg,” which means shoulder, similar to Old High German’s “buog,” which means the same thing (via Etymonline). There’s a popular Roman myth about the Golden Bough, which is a tree branch with golden leaves that enabled the trojan hero Aeneas to travel safely through the land of the dead. 

We solved the puzzle in three tries today, kicking things off with an expert-endorsed starter word, slate. We tried the word brush next, which turned out to be a really lucky guess with three green tiles. The answer was apparent by the third guess, and since we also solved the puzzle in three guesses yesterday, that begins a three-try streak that we hope we can continue tomorrow!

Continue Reading


How To Display iPhone 14 Pro’s Dynamic Island On Any Android Device



You can also choose whether to display the cutout at the center of the display (for hole-punch cameras on the center of the display) or on the left for cameras placed in the corner. Remember that as you increase or decrease the cutout size, the icons shown in it will also scale to match. Thankfully, the app gives you a preview of the cutout when you are changing the settings.

You can also modify gestures such as single tap or long press. Dynamic Spot also allows you to change the default time, after which the pop-up automatically disappears. Additionally, you can fiddle with a lot of appearance-related settings, such as the animation when the Dynamic Island clone pops up or unfolds.

Just as on the iPhone 14 Pro, the Dynamic Spot on your Android app will show the app icon when a new notification arrives. You may selectively choose which apps display the notifications or allow all apps of them. You can also tap on the app’s icon to open the notification or long-press the icon to preview the notification.

Continue Reading


The 10 Wildest Features Of The Mercedes Maybach Off-Roader



Sustainability is a word on every car manufacturer’s radar right now, with more focus being given to the idea of eco-friendly vehicles than ever before. The Off-Roader plays into that theme by featuring a prominent set of solar panels mounted on its hood, which could be used to generate power to extend the range of the car. It’s worth pointing out that this is all hypothetical, as the show car is non-functional, and has no drivetrain. Mercedes is keen to stress, though, that if the car did have a drivetrain, it would be all-electric, although no detail is given on the power or range that would be available to drivers.

The solar panels are interwoven with yet more Maybach logos, and their tinted finish makes them blend in almost seamlessly with the rest of the hood. It’s been pointed out by industry analysts that adding solar panels to cars is not always as environmentally friendly as it might seem, as the panels are only able to generate a very small amount of power. That power can easily be consumed by the added A/C strain caused by parking a car out in the sun all day to charge it. Car-mounted solar panels might be a flawed idea in practice, but even so, it’s interesting to see how Abloh was able to inconspicuously add them in without compromising the overall look of the car.

Continue Reading