Researchers discovered certificates and cryptographic keys signed by Huawei in Cisco switches. The presence is the result of an oblivion and the files have no operational impact, but Cisco still removes them with an update.
SEC Technologies security researchers were strangely surprised when they discovered certificates and cryptographic keys signed by Huawei on a handful of Cisco switches. These are the Small Business 250, 350, 350X and 550X. The certificates do no harm, but do not have a place on the devices. Cisco confirms their presence and removes them with the help of a patch.
In concrete terms, these are open-source keys for Futurewei code, which is an American subsidiary of Huawei. The keys for Futurewei were signed by Huawei and are available in open source code. This code is part of an OpenDaylight test package that Cisco used in the development of the switches. The developers forgot to delete the files after the tests.
At the moment they are in the filesystem of the switches where they do nothing wrong. Let me make it clear that this is an innocent mistake on the part of Cisco and that Huawei has no place in it, but, of course, such discoveries come at a time when Huawei certainly has little credit in the United States. Cisco confirms the story in a comment to ZDNet and stresses once again that the certificates disappear with the latest firmware update.
In total, Cisco is rolling out updates for 18 serious and less serious vulnerabilities, of which ten are given the high impact label. In other words, it’s a good idea to check if your Cisco hardware has the latest updates on board, apart from the whole Huawei story.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.