nanog mailing list archives
Re: Spectre/Meltdown impact on network devices
From: Stephane Bortzmeyer <bortzmeyer () nic fr>
Date: Mon, 8 Jan 2018 11:41:04 +0100
On Sun, Jan 07, 2018 at 02:02:24PM -0500, Jean | ddostest.me via NANOG <nanog () nanog org> wrote a message of 21 lines which said:
I'm curious to hear the impact on network devices of this new hardware flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
I understand that one need access but still it could be possible for one to social engineer a NOC user, hijack the account with limited access and maybe run the "exploit".
There are other ways to tun code on the target machine. JavaScript is the most obvious one (and there are JavaScript exploits for Meltdown) but, of course, the typical router does not have a Web browser. So, the best solution, for the attacker, is probably to exploit a bug in the BGP parser (as we have seen with attribute 99, BGP parsers have bugs): with a buffer overflow, you may be able to run code you choose. Purely theoretical at this stage, I didn't try.
Current thread:
- Spectre/Meltdown impact on network devices Jean | ddostest.me via NANOG (Jan 07)
- Re: Spectre/Meltdown impact on network devices Josh Reynolds (Jan 07)
- Re: Spectre/Meltdown impact on network devices William Herrin (Jan 07)
- Re: Spectre/Meltdown impact on network devices Masataka Ohta (Jan 07)
- Re: Spectre/Meltdown impact on network devices William Herrin (Jan 07)
- Message not available
- Re: Spectre/Meltdown impact on network devices Masataka Ohta (Jan 08)
- Re: Spectre/Meltdown impact on network devices Masataka Ohta (Jan 07)
- Re: Spectre/Meltdown impact on network devices Denys Fedoryshchenko (Jan 07)
- Re: Spectre/Meltdown impact on network devices Stephane Bortzmeyer (Jan 08)
- Re: Spectre/Meltdown impact on network devices Saku Ytti (Jan 08)
- Re: Spectre/Meltdown impact on network devices Stephane Bortzmeyer (Jan 08)
- Re: Spectre/Meltdown impact on network devices James Bensley (Jan 08)