Connect with us


Seriously? Cisco put Huawei X.509 certificates and keys into its own switches



Cisco: DNS attacks will undermine trust in the internet
Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Cisco has disclosed a bunch of vulnerabilities in its networking equipment, including one embarrassing bug that put the West’s tech boogeyman inside the US firm’s kit. 

Cisco is telling customers to apply updates for 18 high- and medium-severity vulnerabilities in its products, plus one curious bug it labels ‘informational‘ that affects its Small Business 250, 350, 350X, and 550X Series Switches. 

The bugs in these switches are not serious enough to get its own CVE identifier, but they do provide a lesson in the well-known risks of using third-party open-source components in products without running proper security checks on them.     

Researchers at SEC Technologies, the IoT division of security firm SEC Consult, were using its IoT Inspector bug-hunting software to probe firmware images of Cisco’s Small Business 250 Series Switches and found they contained digital certificates and keys issued to Futurewei Technologies. 

Futurewei Technologies is the US-based R&D arm of Huawei. Apparently in response to the US ban on Huawei using US tech, the research division is reportedly planning to separate from the Chinese mothership, and has also banned Huawei workers from its offices, dropped the Huawei logo, and created its own separated IT system for staff.   

But the question is why would a US tech giant like Cisco, which has sued Huawei over patents, put its Chinese rival’s certificates and keys into its own switches? 

The answer, oddly, is that Cisco developers were using a Huawei-made open-source package during testing and forgot to remove certain components.  

“We noticed Huawei certificates being used in the firmware. And given the political controversy we didn’t want to speculate any further,” Florian Lukavsky, CEO of SEC Technologies, told ZDNet.  

The certificates were part of a test package of an open-source component called OpenDaylight. It contained some test scripts and data, which included the Huawei-issued certificates. 

OpenDaylight is an open-source project focused on software-defined networking that includes Cisco, Huawei, and other major networking companies.

“This is how the certificates ended up in the firmware. They were used in testing by Cisco developers and they simply forgot to remove the certificates before shipping it to the devices,” said Lukavsky. 

He added that the certificates were not actively being used and were only present on the file system. 

“Our research and Cisco’s research didn’t turn up any indication that the issue would cause any threat to clients. But Cisco also removed some unnecessary software packages and updated components where we had identified vulnerabilities,” he said. 

The files included certificates and keys issued to Future, empty password hashes, unnecessary software packages, and several security flaws, according to Cisco’s advisory.  

Cisco offered this explanation for the situation: 

An X.509 certificate with the corresponding public/private key pair and the corresponding root CA certificate were found in Cisco Small Business 250 Series Switches firmware. SEC Consult calls this the ‘House of Keys’. Both certificates are issued to third-party entity Futurewei Technologies, a Huawei subsidiary.

The certificates and keys in question are part of the Cisco FindIT Network Probe that is bundled with Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware. These files are part of the OpenDaylight open source package. Their intended use is to test the functionality of software using OpenDaylight routines. 

The Cisco FindIT team used those certificates and keys for their intended testing purpose during the development of the Cisco FindIT Network Probe; they were never used for live functionality in any shipping version of the product. All shipping versions of the Cisco FindIT Network Probe use dynamically created certificates instead. 

The inclusion of the certificates and keys from the OpenDaylight open-source package in shipping software was an oversight by the Cisco FindIT development team.

Cisco has removed those certificates and associated keys from FindIT Network Probe software and Small Business 250, 350, 350X, and 550X Series Switches firmware starting with the releases listed later in this advisory.

More on Cisco and security

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


2021 Kia Niro Hybrid and Niro PHEV gets new tech and safety updates



The 2021 Kia Niro Hybrid and Niro PHEV are soldiering on with a couple of new safety and technology features. Kia updated the Niro’s styling last year, and the changes carry over to the 2021 model. The Niro may not be the roomiest or best-handling crossover on the road, but it easily achieves 43 to 50 mpg in combined city/highway driving.

New for the 2021 Kia Niro and Kiro PHEV is a rear occupant alert system, a new 8-inch touchscreen infotainment display, and wireless Apple CarPlay/Android Auto connectivity. Vehicles equipped with Kia’s Smart Key now have a remote engine start feature. Meanwhile, Niro models with navigation get ten years of complimentary MapCare updates.

Moreover, both the Niro Hybrid and Niro plug-in-hybrid also get navigation-based smart cruise control with a ‘curve’ function. The latter automatically applies the brakes to reduce vehicle speed upon entering a corner. The Niro is comprehensively equipped with top-notch safety and driver assistive features like forward collision avoidance, blindspot detection, lane keeping assist, smart cruise control, and a rearview camera, to name just a few.

The 2021 Kia Niro Hybrid remains motivated by a 1.6-liter four-cylinder engine and an electric motor pumping out a combined 139 horsepower, all of which are sent to the front wheels via a six-speed dual-clutch gearbox. It also has a 1.56 kWh lithium-ion polymer hybrid battery pack sending juice to the small electric motor.

On the other hand, the 2021 Kia Niro PHEV has the same gasoline engine and electric motor as the hybrid version producing 139 horsepower and 195 pound-feet of torque. The difference is a larger 8.9 kWh battery pack, allowing 26 miles of all-electric range before the battery runs out of juice. The Niro PHEV is EPA-rated at 46 mpg.

The 2021 Kia Niro Hybrid is available in five trim models: LX, LXS, Touring, Touring SE, and EX Premium. Base prices start at $25,865 (an increase of $100 over last year’s model), while the top-of-the-line Niro Hybrid EX Premium starts at $34,125 (inclusive of $1,175 destination fees).

If you like the 2021 Kia Niro PHEV, you can choose from three available trims: LXS, EX, and EX Premium, with base prices starting at $30,765. Both the Niro Hybrid and Niro PHEV are available to order now. The new 2021 all-electric Niro EV is also coming later this year.

Continue Reading


The final phase of Ram’s limited-edition “Build to Serve” truck line launches



Ram has been building special limited edition “Build to Serve” trucks to celebrate the United States Armed Forces. So far, the automaker has built these special trucks to honor all five branches of the United States Armed Forces. The fifth and final installment in the series introduces 500 units in a color called Spitfire and 750 in Bright White.

The military branch-inspired interior will be available in showrooms starting in Q2 of 2021. The Built to Serve edition’s fifth installment offers a maritime force-inspired theme with both exterior color options featuring a black interior with orange accent stitching. With the fifth and final version of the truck revealed, each of the five US military service branches has been honored by Ram with two specially selected exterior paint colors meant to evoke the spirit, mission, and history of that service.

Built to Serve edition Ram trucks were made in the following numbers and colors. Ram made 1000 units in Gator and 1000 in Diamond Black Crystal. Ram produced 1000 in Ceramic Gray and 1000 in Patriot Blue. 1250 units were built in Anvil with 1500 produced in Billet Silver Metallic.

In the series, 1000 trucks were made in Tank and 1000 in Flame Red. This fifth and final installment are the rarest of the special edition trucks, with only 500 produced in Spitfire and 750 made in Bright White. All Built to Serve trucks get 20-inch aluminum wheels with a unique Technical Gray finish along with body-color wheel flares.

All the trucks feature unique Built to Serve instrument panel badging, optional lockable center storage console, deeply bolstered cloth and vinyl sport seats, black onyx chrome interior trim, and all-weather slush mats. The trucks also include the 4×4 Off-Road Group and are available on all body styles and with all powertrains.

Continue Reading


Manhart MH3 600 and MH4 600 are spicier versions of BMW’s M3 and M4



German tuning brand Manhart has a nifty pair of new BMWs to call its own: The MH3 600 and MH4 600. Based on the all-new G80 BMW M3 sedan and G82 M4 coupe, both the MH3 600 and MH4 600 receive a plethora of upgrades, including a 600-plus horsepower turbocharged inline-six motor.

Manhart starts with the 2021 M3 and M4 Competition models, both pumping out 510 horsepower from the factory. After installing a Manhart MHtronik Powerbox, the inline-six motor has a new maximum output of 620+ horsepower, around 100 more horses than stock. Additionally, you have 553 pound-feet of torque at your disposal.

The mods include a Manhart Performance cat-back or OPF-back exhaust system with twin carbon tailpipes to unleash those spent gasses. According to Manhart, their Mhtronik Powerbox is also applicable to a standard M3 or M4, allowing the motor to churn out 590 horsepower. If you’re keeping count, that’s 117 more horsepower than a typical M3’s 473-horsepower output. Nice.

Other upgrades include new H&R lowering springs, staggered Concave One forged wheels developed in-house by Manhart, and a sprinkling of carbon-fiber exterior bits to improve aerodynamics, including a new hood, front splitter, rear spoiler, and rear diffuser. Manhart is also developing a unique set of side flaps for MH3 600 and MH4 600.

Of course, no Manhart creation is complete without a set of body decals. You get a gold decal kit for the MH3 600 and MH4 600, including side stripes and racing stripes. What’s more, you can have gold pinstriping on the wheels if you like a bit more bling in your Bimmer.

The 2021 BMW M3 and M4 (including the 4-Series in general) were targets of blatant criticism upon debuting last year, and it all has something to do with that oversized kidney grille. But looking at Manhart’s MH3 600 and MH4 600, the stealthy vibe fits both vehicles quite well. Dare we say Manhart has sorted out the M3 and M4’s polarizing façade?

And when you think about it, Manhart isn’t done with the M3 and M4. The 600-horsepower upgrade is only Phase 1 of the tuning program. Phase 2 involves more power, more noise, and more ridiculous exterior appendages, and we can’t wait to check it out soon.

Continue Reading