On 3/13/25 12:22 PM, Eric Kuhnke via NANOG wrote:
PDF file: https://supportportal.juniper.net/sfc/servlet.shepherd/document/download/069...
From reading this there was no known remote exploit, they needed user level shell access to exploit another local vulnerability which got them root and then installed this exploit. While this isn't great, if someone has unaudited login user level access to your routers, you've already lost. Basic ACL's go a long way to filtering this from outside a logged network too. Security is best when it's a multilayered approach. This said, I've been greeted with a login prompt telnetting to carrier's upstream router in the last 6 months. They seemed outright confused why I cared about it and closed the ticket. 🤦‍♂️ -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net
This underscores the importance of proper security around out-of-band management/console networks and proper security of console ports to the extent that devices offer it. Thank you jms On Thu, Mar 13, 2025 at 1:29 PM Bryan Fields via NANOG < nanog@lists.nanog.org> wrote:
On 3/13/25 12:22 PM, Eric Kuhnke via NANOG wrote:
PDF file:
https://supportportal.juniper.net/sfc/servlet.shepherd/document/download/069...
From reading this there was no known remote exploit, they needed user level shell access to exploit another local vulnerability which got them root and then installed this exploit. While this isn't great, if someone has unaudited login user level access to your routers, you've already lost. Basic ACL's go a long way to filtering this from outside a logged network too. Security is best when it's a multilayered approach.
This said, I've been greeted with a login prompt telnetting to carrier's upstream router in the last 6 months. They seemed outright confused why I cared about it and closed the ticket. 🤦‍♂️
-- Bryan Fields
727-409-1194 - Voice http://bryanfields.net _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/2UEVTAIT...
I'm skeptical. Companies with massive financial incentive to deliver secure devices, who control hardware and software and have infinite budgets fail, and produce devices hobbyists own to show their skills. Router vendors are significantly worse positioned. We accidentally regularly find crashing bugs while receiving BGP updates or just packet-of-death which crashes the NPU ucode, which probably could be developed into a remote attack. It would be reasonable to assume that any motivated attacker can own any network device, regardless of the operator's care. And operator care is trivial, I've not seen one properly written lo0 filter, much less ddos-policer config, while Juniper is arguably the best vendor here, most others don't even have a way to protect control-plane. Yet, realised risks out of worst outcomes are trivial costs, especially to the providers. We have a lot of anecdotes of massive infosec failures, and it rarely has any significant financial impact. Heck, when crowstrike had a mistake (fair mistake, impossible to deliver a solution like that for infinite time without making a mistake like that once and a while) I knew it's going to be great for their business, and it was, it not only recovered in share price, but outperformed the market. Because there was a lot of media attention, and infosec leaders who weren't aware of end-point-security were rushing to procure one, since all the big names seemed to be running one, on account of being down. We have a strategic problem in infosec, and we keep treating it as a tactical problem, that one more fix and it's solved. It is not working, and investing specifically to infosec is bad investment. Sure, do things safely and right when it doesn't add cost and is generally best practice. I don't know if the strategic problem can be solved or how to even improve the situation, but what we are doing is new age/faith work, it's not working, and hasn't been working. And it might be, if not fundamentally, commercially impossible to do anything secure, due to the massive leverage the attacker has over the defender. On Sat, 15 Mar 2025 at 02:44, Justin Streiner via NANOG <nanog@lists.nanog.org> wrote:
This underscores the importance of proper security around out-of-band management/console networks and proper security of console ports to the extent that devices offer it.
Thank you jms
On Thu, Mar 13, 2025 at 1:29 PM Bryan Fields via NANOG < nanog@lists.nanog.org> wrote:
On 3/13/25 12:22 PM, Eric Kuhnke via NANOG wrote:
PDF file:
https://supportportal.juniper.net/sfc/servlet.shepherd/document/download/069...
From reading this there was no known remote exploit, they needed user level shell access to exploit another local vulnerability which got them root and then installed this exploit. While this isn't great, if someone has unaudited login user level access to your routers, you've already lost. Basic ACL's go a long way to filtering this from outside a logged network too. Security is best when it's a multilayered approach.
This said, I've been greeted with a login prompt telnetting to carrier's upstream router in the last 6 months. They seemed outright confused why I cared about it and closed the ticket. 🤦‍♂️
-- Bryan Fields
727-409-1194 - Voice http://bryanfields.net _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/2UEVTAIT...
NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/YM3RDKBI...
-- ++ytti
On Sat, Mar 15, 2025 at 1:28 AM Saku Ytti via NANOG <nanog@lists.nanog.org> wrote:
I'm skeptical. Companies with massive financial incentive to deliver secure devices, who control hardware and software and have infinite budgets fail, and produce devices hobbyists own to show their skills.
Router vendors are significantly worse positioned. We accidentally regularly find crashing bugs while receiving BGP updates or just packet-of-death which crashes the NPU ucode, which probably could be developed into a remote attack.
It would be reasonable to assume that any motivated attacker can own any network device, regardless of the operator's care. And operator care is trivial, I've not seen one properly written lo0 filter, much less ddos-policer config, while Juniper is arguably the best vendor here, most others don't even have a way to protect control-plane.
Yet, realised risks out of worst outcomes are trivial costs, especially to the providers. We have a lot of anecdotes of massive infosec failures, and it rarely has any significant financial impact. Heck, when crowstrike had a mistake (fair mistake, impossible to deliver a solution like that for infinite time without making a mistake like that once and a while) I knew it's going to be great for their business, and it was, it not only recovered in share price, but outperformed the market. Because there was a lot of media attention, and infosec leaders who weren't aware of end-point-security were rushing to procure one, since all the big names seemed to be running one, on account of being down.
We have a strategic problem in infosec, and we keep treating it as a tactical problem, that one more fix and it's solved. It is not working, and investing specifically to infosec is bad investment. Sure, do things safely and right when it doesn't add cost and is generally best practice. I don't know if the strategic problem can be solved or how to even improve the situation, but what we are doing is new age/faith work, it's not working, and hasn't been working. And it might be, if not fundamentally, commercially impossible to do anything secure, due to the massive leverage the attacker has over the defender.
Largely agree. My biggest challenge is that the security vendor industry is my #1 threat. They are constantly pushing snake oil and complicated solutions that do nothing but increase attack surface. Like … stateful firewalls… the original sin of computer network security— the idea a node needs another node to protect it. And, it has really spiraled out of control with Fortinet and Palo Alto dropping zero days constantly…. In perimeter security! How often is it now the avenue of attack is owning the perimeter security device ! Shout out to the IETF too, pushing dnssec which has yet to solve a problem in the real world. We need more solutions like wireguard and Signal’s double ratchet, where simplicity leads to security. Not smoke and mirrors.
On Sat, 15 Mar 2025 at 02:44, Justin Streiner via NANOG <nanog@lists.nanog.org> wrote:
This underscores the importance of proper security around out-of-band management/console networks and proper security of console ports to the extent that devices offer it.
Thank you jms
On Thu, Mar 13, 2025 at 1:29 PM Bryan Fields via NANOG < nanog@lists.nanog.org> wrote:
On 3/13/25 12:22 PM, Eric Kuhnke via NANOG wrote:
PDF file:
https://supportportal.juniper.net/sfc/servlet.shepherd/document/download/069...
From reading this there was no known remote exploit, they needed user
level
shell access to exploit another local vulnerability which got them root and then installed this exploit. While this isn't great, if someone has unaudited login user level access to your routers, you've already lost. Basic ACL's go a long way to filtering this from outside a logged network too. Security is best when it's a multilayered approach.
This said, I've been greeted with a login prompt telnetting to carrier's upstream router in the last 6 months. They seemed outright confused why I cared about it and closed the ticket. 🤦‍♂️
-- Bryan Fields
727-409-1194 - Voice http://bryanfields.net _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/2UEVTAIT... _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/YM3RDKBI...
-- ++ytti _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/OPCWW5ED...
participants (5)
-
Bryan Fields -
Ca By -
Eric Kuhnke -
Justin Streiner -
Saku Ytti