Hello,
I'm curious to hear the impact on network devices of this new hardware
flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
I know that some Arista devices seem to use AMD chips and some say that
they might be immune to one of these vulnerability. Still, it's possible
to spawn a bash shell in these and one with limited privileges could
maybe find some BGP/Ospf/SNMP passwords. Maybe it's also possible to
leak a full config.
I understand that one need access but still it could be possible for one
to social engineer a NOC user, hijack the account with limited access
and maybe run the "exploit".
I know it's a lot of "if" and "maybe", but still I'm curious what is the
status of big networking systems? Are they vulnerable?
Thanks
Jean
Hi Jean,
Meltdown and Spectre are privilege escalation flaws. If you can induce the
physical hardware to run arbitrary code you provide at an unprivileged
level, they can be used to extract information from other processes or
virtual machine containers running at different (higher) privilege levels.
Network appliances like routers and switches generally do not run untrusted
code so the preconditions for Meltdown and Spectre generally aren't there.
Regards,
Bill Herrin
AFAIK, Meltdown/Spectre require access to some proper programming language and ability to run attacker own code.
If underprivileged user can't spawn shell on device or run some python code - i guess you are safe.
I guess people need to push support of vendors, for equipment who has programming languages/shell, to release statement about possibility of vulnerability.
As fixing require significant changes in "memory" operation model, i doubt they will do such thing, i guess in best case they will restrict access to insert
code under nonprivileged users (if it is allowed now).
For example, even old Cisco IOS has TCL, but logically under level 15, so i assume it is safe.
William Herrin wrote:
Meltdown and Spectre are privilege escalation flaws. If you can induce the
physical hardware to run arbitrary code you provide at an unprivileged
level, they can be used to extract information from other processes or
virtual machine containers running at different (higher) privilege levels.
So, spectre should be fatal to cloud business.
Masataka Ohta
Doubt it. But they are the ones who'll have to scramble fastest to patch.
It's also really giving browser devs a bad day since it provides yet
another escalation out of the javascript sandbox.
-Bill
Jason Gmail wrote:
The only business I've been looking at is AWS
https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
It merely says:
All instances across the Amazon EC2 fleet are protected from
all known threat vectors from the CVEs previously listed.
not spectre in general.
But, as mentioned in:
https://access.redhat.com/security/cve/cve-2017-5715
It relies on the presence of a precisely-defined instruction
sequence in the privileged code
and
https://access.redhat.com/security/cve/cve-2017-5753
It relies on the presence of a precisely-defined instruction
sequence in the privileged code
CVEs previously listed are spectre attacks between privileged and
unprivileged codes, which means spectre attack between
unprivileged codes is still possible with AWS, which is why
we should avoid cloud servers, until CPU hardware is fixed.
Masataka Ohta
a message of 21 lines which said:
I'm curious to hear the impact on network devices of this new hardware
flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
I understand that one need access but still it could be possible for one
to social engineer a NOC user, hijack the account with limited access
and maybe run the "exploit".
There are other ways to tun code on the target machine. JavaScript is
the most obvious one (and there are JavaScript exploits for Meltdown)
but, of course, the typical router does not have a Web browser. So,
the best solution, for the attacker, is probably to exploit a bug in
the BGP parser (as we have seen with attribute 99, BGP parsers have
bugs): with a buffer overflow, you may be able to run code you
choose. Purely theoretical at this stage, I didn't try.
BGP runs as a privileged user, if you're already executing code as
BGP, why do you need Spectre or Meltdown? Just read the memory you're
interested in, or setup port mirror, or reroute traffic.
Some devices run affected Intel chips like the Cisco ASR9000 series
and they run Perl and Python so very exploitable I would expect, IF
you have shell access.
There are much more serious security issues out there to worry about
for networking gear than Meltdown/Spectre, e.g. this great CCC34 preso
where the attacker runs remote code on a Cisco device and removes the
password authentication for Telnet:
https://events.ccc.de/congress/2017/Fahrplan/events/8936.html
The video is on the CCC YouTube channel:
https://www.youtube.com/watch?v=fA6W9_zLCeA
If somebody has shell access you're basically knackered, I'm more
concerned about these kinds of remote exploits as demonstrated. Proper
iACLs/CoPPs and IDS/IPS, good patching cycles etc.
Cheers,
James.
a message of 20 lines which said:
> I'm curious to hear the impact on network devices of this new hardware
> flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
And for Juniper :
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10842&actp=RSS