Cisco and Huawei are old rivals in communications equipment and have been in the market for many years. In 2003, the American company sued Huawei for “plagiarism code,” but embarrassingly, Cisco recently admits to misusing Huawei code. Recently, Cisco issued 19 security statements, 18 of which involved high-risk vulnerabilities. The other is a low-level vulnerability related to small enterprise 250, 350, 350X and 550X switches. This small problem is not serious. The device can’t get the CVE identification code.
However, why will Cisco, an American tech giant, use its Chinese rivals certificates and keys in its switches? The reason is interesting. Cisco developers were using a Huawei-made open-source package from Futurewei (Huawei North American R&D Company) during testing. However, the American company forgot to delete the relevant components after testing. The open-source package, OpenDaylight is for specific software networking
“We noticed Huawei certificates in the firmware. And given the political controversy we didn’t want to speculate any further,” Florian Lukavsky, CEO of SEC Technologies, told ZDNet. “This is how the certificates ended up in the firmware. They were use in testing by Cisco developers and they simply forgot to remove the certificates before shipping it to the devices,” said Lukavsky.
Cisco offered this explanation for the situation:
An X.509 certificate with the corresponding public/private key pair and the corresponding root CA certificate were found in Cisco Small Business 250 Series Switches firmware. SEC Consult calls this the ‘House of Keys’. Both certificates are for a third-party entity Futurewei Technologies, a Huawei subsidiary.
The certificates and keys in question are part of the Cisco FindIT Network Probe that is with Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware. These files are part of the OpenDaylight open source package. Their intended use is to test the functionality of software using OpenDaylight routines.
The Cisco FindIT team used those certificates and keys for their intended testing purpose during the development of the Cisco FindIT Network Probe; they were never used for live functionality in any shipping version of the product. All shipping versions of the Cisco FindIT Network Probe use dynamically created certificates instead.
The inclusion of the certificates and keys from the OpenDaylight open-source package in shipping software was an oversight by the Cisco FindIT development team.
Cisco has removed those certificates and associated keys from FindIT Network Probe software and Small Business 250, 350, 350X, and 550X Series Switches firmware starting with the releases listed later in this advisory.