Re: Spectre/Meltdown impact on network devices

[James Bensley <jwbensley () gmail com>]

On 7 January 2018 at 19:02, Jean | ddostest.me via NANOG
<nanog () nanog org> wrote:
> Hello,
>
> I'm curious to hear the impact on network devices of this new hardware
> flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
>
> I know that some Arista devices seem to use AMD chips and some say that
> they might be immune to one of these vulnerability. Still, it's possible
> to spawn a bash shell in these and one with limited privileges could
> maybe find some BGP/Ospf/SNMP passwords. Maybe it's also possible to
> leak a full config.
>
> I understand that one need access but still it could be possible for one
> to social engineer a NOC user, hijack the account with limited access
> and maybe run the "exploit".
>
> I know it's a lot of "if" and "maybe", but still I'm curious what is the
> status of big networking systems? Are they vulnerable?
>
> Thanks
>
> Jean

Some devices run affected Intel chips like the Cisco ASR9000 series
and they run Perl and Python so very exploitable I would expect, IF
you have shell access.

There are much more serious security issues out there to worry about
for networking gear than Meltdown/Spectre, e.g. this great CCC34 preso
where the attacker runs remote code on a Cisco device and removes the
password authentication for Telnet:
https://events.ccc.de/congress/2017/Fahrplan/events/8936.html

The video is on the CCC YouTube channel:
https://www.youtube.com/watch?v=fA6W9_zLCeA

If somebody has shell access you're basically knackered, I'm more
concerned about these kinds of remote exploits as demonstrated. Proper
iACLs/CoPPs and IDS/IPS, good patching cycles etc.

Cheers,
James.