Huawei cryptographic keys embedded in Cisco's firmware

Huawei cryptographic keys embedded in Cisco's firmware
Things happen when they happen. And when developers use third-party or open source libraries in their own product, they may not be aware of potential security issues. Testing firmware for vulnerabilities is time consuming, yet absolutely necessary for compliance with established security standards and legal requirements. That's why we developed IoT Inspector: to automate security analyses of firmware and to assure a security baseline at scale. We are constantly improving IoT Inspector's analysis capabilities. To test new features and capabilities we analyze firmware images from various vendors regularly. One of the more recent analysis results caught us by surprise...Who is Gary, and why are his keys embedded in Cisco's firmware?
The starting point was a firmware image for a Cisco SG250 Smart Switch device, which was downloaded from the Cisco download portal and uploaded to IoT Inspector. The analysis results were strange. The firmware contained a few certificates and a corresponding private key. The location of the files in question (/root/.ssh/
) is usually intended for SSH keys, not certificates.
The certificates themselves were issued by a Gary from the organization Futurewei Technologies, which is a US-based subsidiary of Huawei Technologies. Just to make sure, we double-checked the IoT Inspector results. They were reliable, a manual analysis confirmed the automated results. So, how does a certificate from a Huawei employee end up in a Cisco firmware image?
[caption id="attachment_1216" align="aligncenter" width="1347"]

About Onekey
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

CONTACT:
Sara Fortmann
Senior Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
+49 611 973 150
team@euromarcom.de
RELATED RESEARCH ARTICLES

Unblob 2024 Highlights: Sandboxing, Reporting, and Community Milestones
Explore the latest developments in Unblob, including enhanced sandboxing with Landlock, improved carving reporting, and χ² randomness analysis. Celebrate community contributions, academic research collaborations, and new format handlers, while looking forward to exciting updates in 2025.
%201.avif)
Critical Vulnerabilities in EV Charging Stations: Analysis of eCharge Controllers
Discover how severe security flaws, including unauthenticated remote command execution (CVE-2024-11665 & CVE-2024-11666), affect eCharge EV charging controllers. Learn about insecure firmware practices, cloud infrastructure issues, and actionable steps to mitigate risks in EV charging systems.

Security Advisory: Unauthenticated Command Injection in Mitel IP Phones
Discover critical vulnerabilities in Mitel SIP phones that allow unauthenticated command injection. Learn how outdated input parsing can expose your devices and why it's essential to scan firmware for security risks. Protect your network with our in-depth analysis and expert takeaways.
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.