Hello, I'm curious to hear the impact on network devices of this new hardware flaws that everybody talk about. Yes, the Meltdown/Spectre flaws. I know that some Arista devices seem to use AMD chips and some say that they might be immune to one of these vulnerability. Still, it's possible to spawn a bash shell in these and one with limited privileges could maybe find some BGP/Ospf/SNMP passwords. Maybe it's also possible to leak a full config. I understand that one need access but still it could be possible for one to social engineer a NOC user, hijack the account with limited access and maybe run the "exploit". I know it's a lot of "if" and "maybe", but still I'm curious what is the status of big networking systems? Are they vulnerable? Thanks Jean
https://www.reddit.com/r/networking/comments/7o4y40/meltdownspectre_vulnerab... On Sun, Jan 7, 2018 at 1:02 PM, Jean | ddostest.me via NANOG <nanog@nanog.org> wrote:
Hello,
I'm curious to hear the impact on network devices of this new hardware flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
I know that some Arista devices seem to use AMD chips and some say that they might be immune to one of these vulnerability. Still, it's possible to spawn a bash shell in these and one with limited privileges could maybe find some BGP/Ospf/SNMP passwords. Maybe it's also possible to leak a full config.
I understand that one need access but still it could be possible for one to social engineer a NOC user, hijack the account with limited access and maybe run the "exploit".
I know it's a lot of "if" and "maybe", but still I'm curious what is the status of big networking systems? Are they vulnerable?
Thanks
Jean
On Sun, Jan 7, 2018 at 2:02 PM, Jean | ddostest.me via NANOG < nanog@nanog.org> wrote:
I'm curious to hear the impact on network devices of this new hardware flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
Hi Jean, Meltdown and Spectre are privilege escalation flaws. If you can induce the physical hardware to run arbitrary code you provide at an unprivileged level, they can be used to extract information from other processes or virtual machine containers running at different (higher) privilege levels. Network appliances like routers and switches generally do not run untrusted code so the preconditions for Meltdown and Spectre generally aren't there. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
William Herrin wrote:
Meltdown and Spectre are privilege escalation flaws. If you can induce the physical hardware to run arbitrary code you provide at an unprivileged level, they can be used to extract information from other processes or virtual machine containers running at different (higher) privilege levels.
So, spectre should be fatal to cloud business. Masataka Ohta
On Sun, Jan 7, 2018 at 8:57 PM, Masataka Ohta < mohta@necom830.hpcl.titech.ac.jp> wrote:
William Herrin wrote:
Meltdown and Spectre are privilege escalation flaws. If you can induce the physical hardware to run arbitrary code you provide at an unprivileged level, they can be used to extract information from other processes or virtual machine containers running at different (higher) privilege levels.
So, spectre should be fatal to cloud business.
Doubt it. But they are the ones who'll have to scramble fastest to patch. It's also really giving browser devs a bad day since it provides yet another escalation out of the javascript sandbox. -Bill -- William Herrin ................ herrin@dirtside.com bill@herrin.us Dirtside Systems ......... Web: <http://www.dirtside.com/>
AFAIK, Meltdown/Spectre require access to some proper programming language and ability to run attacker own code. If underprivileged user can't spawn shell on device or run some python code - i guess you are safe. I guess people need to push support of vendors, for equipment who has programming languages/shell, to release statement about possibility of vulnerability. As fixing require significant changes in "memory" operation model, i doubt they will do such thing, i guess in best case they will restrict access to insert code under nonprivileged users (if it is allowed now). For example, even old Cisco IOS has TCL, but logically under level 15, so i assume it is safe. On 2018-01-07 21:02, Jean | ddostest.me via NANOG wrote:
Hello,
I'm curious to hear the impact on network devices of this new hardware flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
I know that some Arista devices seem to use AMD chips and some say that they might be immune to one of these vulnerability. Still, it's possible to spawn a bash shell in these and one with limited privileges could maybe find some BGP/Ospf/SNMP passwords. Maybe it's also possible to leak a full config.
I understand that one need access but still it could be possible for one to social engineer a NOC user, hijack the account with limited access and maybe run the "exploit".
I know it's a lot of "if" and "maybe", but still I'm curious what is the status of big networking systems? Are they vulnerable?
Thanks
Jean
On Sun, Jan 07, 2018 at 02:02:24PM -0500, Jean | ddostest.me via NANOG <nanog@nanog.org> wrote a message of 21 lines which said:
I'm curious to hear the impact on network devices of this new hardware flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-...
I understand that one need access but still it could be possible for one to social engineer a NOC user, hijack the account with limited access and maybe run the "exploit".
There are other ways to tun code on the target machine. JavaScript is the most obvious one (and there are JavaScript exploits for Meltdown) but, of course, the typical router does not have a Web browser. So, the best solution, for the attacker, is probably to exploit a bug in the BGP parser (as we have seen with attribute 99, BGP parsers have bugs): with a buffer overflow, you may be able to run code you choose. Purely theoretical at this stage, I didn't try.
On 8 January 2018 at 12:41, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
the best solution, for the attacker, is probably to exploit a bug in the BGP parser (as we have seen with attribute 99, BGP parsers have bugs): with a buffer overflow, you may be able to run code you choose. Purely theoretical at this stage, I didn't try.
BGP runs as a privileged user, if you're already executing code as BGP, why do you need Spectre or Meltdown? Just read the memory you're interested in, or setup port mirror, or reroute traffic. -- ++ytti
On Mon, Jan 08, 2018 at 11:41:04AM +0100, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote a message of 20 lines which said:
I'm curious to hear the impact on network devices of this new hardware flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-...
And for Juniper : https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10842&actp=RSS
On 7 January 2018 at 19:02, Jean | ddostest.me via NANOG <nanog@nanog.org> wrote:
Hello,
I'm curious to hear the impact on network devices of this new hardware flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
I know that some Arista devices seem to use AMD chips and some say that they might be immune to one of these vulnerability. Still, it's possible to spawn a bash shell in these and one with limited privileges could maybe find some BGP/Ospf/SNMP passwords. Maybe it's also possible to leak a full config.
I understand that one need access but still it could be possible for one to social engineer a NOC user, hijack the account with limited access and maybe run the "exploit".
I know it's a lot of "if" and "maybe", but still I'm curious what is the status of big networking systems? Are they vulnerable?
Thanks
Jean
Some devices run affected Intel chips like the Cisco ASR9000 series and they run Perl and Python so very exploitable I would expect, IF you have shell access. There are much more serious security issues out there to worry about for networking gear than Meltdown/Spectre, e.g. this great CCC34 preso where the attacker runs remote code on a Cisco device and removes the password authentication for Telnet: https://events.ccc.de/congress/2017/Fahrplan/events/8936.html The video is on the CCC YouTube channel: https://www.youtube.com/watch?v=fA6W9_zLCeA If somebody has shell access you're basically knackered, I'm more concerned about these kinds of remote exploits as demonstrated. Proper iACLs/CoPPs and IDS/IPS, good patching cycles etc. Cheers, James.
participants (8)
-
Denys Fedoryshchenko -
James Bensley -
Jean | ddostest.me -
Josh Reynolds -
Masataka Ohta -
Saku Ytti -
Stephane Bortzmeyer -
William Herrin