Seriously? Cisco put Huawei X.509 certificates and keys into its own switches

July 04, 2019

Cisco: DNS attacks will undermine trust in the internet
Sophisticated hacking group taps wide set of vulnerabilities as part of their global hacking spree.

Cisco has disclosed a bunch of vulnerabilities in its networking equipment, including one embarrassing bug that put the West’s tech boogeyman inside the US firm’s kit.

Cisco is telling customers to apply updates for 18 high- and medium-severity vulnerabilities in its products, plus one curious bug it labels ‘informational‘ that affects its Small Business 250, 350, 350X, and 550X Series Switches.

The bugs in these switches are not serious enough to get its own CVE identifier, but they do provide a lesson in the well-known risks of using third-party open-source components in products without running proper security checks on them.

Researchers at SEC Technologies, the IoT division of security firm SEC Consult, were using its IoT Inspector bug-hunting software to probe firmware images of Cisco’s Small Business 250 Series Switches and found they contained digital certificates and keys issued to Futurewei Technologies.

Futurewei Technologies is the US-based RD arm of Huawei. Apparently in response to the US ban on Huawei using US tech, the research division is reportedly planning to separate from the Chinese mothership, and has also banned Huawei workers from its offices, dropped the Huawei logo, and created its own separated IT system for staff.

But the question is why would a US tech giant like Cisco, which has sued Huawei over patents, put its Chinese rival’s certificates and keys into its own switches?

The answer, oddly, is that Cisco developers were using a Huawei-made open-source package during testing and forgot to remove certain components.

“We noticed Huawei certificates being used in the firmware. And given the political controversy we didn’t want to speculate any further,” Florian Lukavsky, CEO of SEC Technologies, told ZDNet.

The certificates were part of a test package of an open-source component called OpenDaylight. It contained some test scripts and data, which included the Huawei-issued certificates.

OpenDaylight is an open-source project focused on software-defined networking that includes Cisco, Huawei, and other major networking companies.

“This is how the certificates ended up in the firmware. They were used in testing by Cisco developers and they simply forgot to remove the certificates before shipping it to the devices,” said Lukavsky.

He added that the certificates were not actively being used and were only present on the file system.

“Our research and Cisco’s research didn’t turn up any indication that the issue would cause any threat to clients. But Cisco also removed some unnecessary software packages and updated components where we had identified vulnerabilities,” he said.

The files included certificates and keys issued to Future, empty password hashes, unnecessary software packages, and several security flaws, according to Cisco’s advisory.

Cisco offered this explanation for the situation:

An X.509 certificate with the corresponding public/private key pair and the corresponding root CA certificate were found in Cisco Small Business 250 Series Switches firmware. SEC Consult calls this the ‘House of Keys’. Both certificates are issued to third-party entity Futurewei Technologies, a Huawei subsidiary.

The certificates and keys in question are part of the Cisco FindIT Network Probe that is bundled with Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware. These files are part of the OpenDaylight open source package. Their intended use is to test the functionality of software using OpenDaylight routines.

The Cisco FindIT team used those certificates and keys for their intended testing purpose during the development of the Cisco FindIT Network Probe; they were never used for live functionality in any shipping version of the product. All shipping versions of the Cisco FindIT Network Probe use dynamically created certificates instead.

The inclusion of the certificates and keys from the OpenDaylight open-source package in shipping software was an oversight by the Cisco FindIT development team.

Cisco has removed those certificates and associated keys from FindIT Network Probe software and Small Business 250, 350, 350X, and 550X Series Switches firmware starting with the releases listed later in this advisory.