Re: [j-nsp] [c-nsp] Meltdown and Spectre

[Sebastian Becker]

No … only a one time password. My password does not leave my computer.

But again. Yes, you can construct something that might be a risk. But the users 
(by intention very limited amount) cannot run unsigned code (a Gert described 
already). So in the moment we are waiting for the vendors and than use with the 
next software update a fixed version. But we have no need to hurry are any 
reason for panic.

— 
Sebastian Becker
s...@lab.dtag.de

> Am 08.01.2018 um 18:11 schrieb Chuck Anderson :
> 
> 
> Umm, you type the password into the box, right?  The box stores that password 
> in memory so that it can build a TACACS+ request packet to send to the 
> server?  Unless you are using SSH keys in lieu of passwords.
> 
> On Mon, Jan 08, 2018 at 05:16:01PM +0100, Sebastian Becker wrote:
>> The password will not be seen on the box itself so no problem. The users are 
>> tacacs+ authorized/authenticated.
>> Most scenarios are much easier to accomplish by using the already granted 
>> rights on the boxes per user then using these kinds of attack vectors opened 
>> by Meltdown and Spectre.
>> 
>> Our boxes simply do not run other code than that what is delivered by the 
>> vendors.
>> 
>> — 
>> Sebastian Becker
>> s...@lab.dtag.de
>> 
>>> Am 08.01.2018 um 09:32 schrieb Thilo Bangert :
>>> 
>>> Den 06-01-2018 kl. 19:49 skrev Sebastian Becker:
 Same here. User that have access are implicit trusted.
>>> 
>>> You do have individual user accounts on the equipment, right?
>>> 
>>> The idea of having secure individual logins goes down the drain with 
>>> Meltdown and Spectre. You want to be sure that a person logged into a box 
>>> cannot snoop the password of a co-worker.
>>> 
>>> Meltdown and Spectre are relevant on all affected computing equipment.
>>> 
 So no need for panic.
>>> 
>>> The usefulness of panic has been degrading the past couple of thousand 
>>> years ;-)

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [c-nsp] Meltdown and Spectre

[Alain Hebert]

    If someone can sniff your authentication...

        You're in deep trouble.

    Also for 2018, about dropping using whataboutdisms.  It is clear 
that  those, oddly timed, flaws do not affect properly configured JNP 
devices.


-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 01/08/18 12:11, Chuck Anderson wrote:

Umm, you type the password into the box, right?  The box stores that password 
in memory so that it can build a TACACS+ request packet to send to the server?  
Unless you are using SSH keys in lieu of passwords.

On Mon, Jan 08, 2018 at 05:16:01PM +0100, Sebastian Becker wrote:

The password will not be seen on the box itself so no problem. The users are 
tacacs+ authorized/authenticated.
Most scenarios are much easier to accomplish by using the already granted 
rights on the boxes per user then using these kinds of attack vectors opened by 
Meltdown and Spectre.

Our boxes simply do not run other code than that what is delivered by the 
vendors.

—
Sebastian Becker
s...@lab.dtag.de


Am 08.01.2018 um 09:32 schrieb Thilo Bangert :

Den 06-01-2018 kl. 19:49 skrev Sebastian Becker:

Same here. User that have access are implicit trusted.

You do have individual user accounts on the equipment, right?

The idea of having secure individual logins goes down the drain with Meltdown 
and Spectre. You want to be sure that a person logged into a box cannot snoop 
the password of a co-worker.

Meltdown and Spectre are relevant on all affected computing equipment.


So no need for panic.

The usefulness of panic has been degrading the past couple of thousand years ;-)

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [c-nsp] Meltdown and Spectre

[Chuck Anderson]

Umm, you type the password into the box, right?  The box stores that password 
in memory so that it can build a TACACS+ request packet to send to the server?  
Unless you are using SSH keys in lieu of passwords.

On Mon, Jan 08, 2018 at 05:16:01PM +0100, Sebastian Becker wrote:
> The password will not be seen on the box itself so no problem. The users are 
> tacacs+ authorized/authenticated.
> Most scenarios are much easier to accomplish by using the already granted 
> rights on the boxes per user then using these kinds of attack vectors opened 
> by Meltdown and Spectre.
> 
> Our boxes simply do not run other code than that what is delivered by the 
> vendors.
> 
> — 
> Sebastian Becker
> s...@lab.dtag.de
> 
> > Am 08.01.2018 um 09:32 schrieb Thilo Bangert :
> > 
> > Den 06-01-2018 kl. 19:49 skrev Sebastian Becker:
> >> Same here. User that have access are implicit trusted.
> > 
> > You do have individual user accounts on the equipment, right?
> > 
> > The idea of having secure individual logins goes down the drain with 
> > Meltdown and Spectre. You want to be sure that a person logged into a box 
> > cannot snoop the password of a co-worker.
> > 
> > Meltdown and Spectre are relevant on all affected computing equipment.
> > 
> > > So no need for panic.
> > 
> > The usefulness of panic has been degrading the past couple of thousand 
> > years ;-)
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [c-nsp] Meltdown and Spectre

[Sebastian Becker]

The password will not be seen on the box itself so no problem. The users are 
tacacs+ authorized/authenticated.
Most scenarios are much easier to accomplish by using the already granted 
rights on the boxes per user then using these kinds of attack vectors opened by 
Meltdown and Spectre.

Our boxes simply do not run other code than that what is delivered by the 
vendors.

— 
Sebastian Becker
s...@lab.dtag.de

> Am 08.01.2018 um 09:32 schrieb Thilo Bangert :
> 
> Den 06-01-2018 kl. 19:49 skrev Sebastian Becker:
>> Same here. User that have access are implicit trusted.
> 
> You do have individual user accounts on the equipment, right?
> 
> The idea of having secure individual logins goes down the drain with Meltdown 
> and Spectre. You want to be sure that a person logged into a box cannot snoop 
> the password of a co-worker.
> 
> Meltdown and Spectre are relevant on all affected computing equipment.
> 
> > So no need for panic.
> 
> The usefulness of panic has been degrading the past couple of thousand years 
> ;-)
> 
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [c-nsp] Meltdown and Spectre

[Gert Doering]

Hi,

On Mon, Jan 08, 2018 at 09:32:23AM +0100, Thilo Bangert wrote:
> Den 06-01-2018 kl. 19:49 skrev Sebastian Becker:
> > Same here. User that have access are implicit trusted.
> 
> You do have individual user accounts on the equipment, right?
> 
> The idea of having secure individual logins goes down the drain with 
> Meltdown and Spectre. You want to be sure that a person logged into a 
> box cannot snoop the password of a co-worker.

Only if said person can execute *arbitrary* code.  Which you can't on my
routers, no matter what sort of account I'm giving you.

gert
-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [c-nsp] Meltdown and Spectre

[Thilo Bangert]

Den 06-01-2018 kl. 19:49 skrev Sebastian Becker:

Same here. User that have access are implicit trusted.


You do have individual user accounts on the equipment, right?

The idea of having secure individual logins goes down the drain with 
Meltdown and Spectre. You want to be sure that a person logged into a 
box cannot snoop the password of a co-worker.


Meltdown and Spectre are relevant on all affected computing equipment.

> So no need for panic.

The usefulness of panic has been degrading the past couple of thousand 
years ;-)


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [c-nsp] Meltdown and Spectre

[Tomasz Mikołajek]

Hello.
Info from Juniper:
https://forums.juniper.net/t5/Security-Now/Meltdown-amp-Spectre-Modern-CPU-vulnerabilities/ba-p/317254#

W dniu sob., 6.01.2018 o 19:51 Sebastian Becker  napisał(a):

> Same here. User that have access are implicit trusted. So no need for
> panic.
>
> —
> Sebastian Becker
> s...@lab.dtag.de
>
> > Am 06.01.2018 um 12:58 schrieb Gert Doering :
> >
> > Hi,
> >
> > On Sat, Jan 06, 2018 at 12:04:22PM +0100, james list wrote:
> >> For cve related to Meltdown and Spectre I'm wondering to know what are
> you
> >> doing or going to do on your networking gears?
> >
> > "Nothing"...
> >
> > My networking gear does not execute external code (like, JavaScript),
> > so the question "will untrusted external code be able to read secrets
> > it should not see" is not overly relevant.
> >
> >
> > Now, for those newfangled stuff where vendors think that you MUST HAVE
> > VIRTUALIZATION! on the control plane, so YOU CAN RUN STUFF THERE!!! -
> > we do not have any of those (yet), but if we had, we'd ask them for
> > hypervisor patches...
> >
> > gert
> >
> >
> > --
> > now what should I write here...
> >
> > Gert Doering - Munich, Germany
> g...@greenie.muc.de
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [c-nsp] Meltdown and Spectre

[Sebastian Becker]

Same here. User that have access are implicit trusted. So no need for panic.

—
Sebastian Becker
s...@lab.dtag.de

> Am 06.01.2018 um 12:58 schrieb Gert Doering :
> 
> Hi,
> 
> On Sat, Jan 06, 2018 at 12:04:22PM +0100, james list wrote:
>> For cve related to Meltdown and Spectre I'm wondering to know what are you
>> doing or going to do on your networking gears?
> 
> "Nothing"...
> 
> My networking gear does not execute external code (like, JavaScript),
> so the question "will untrusted external code be able to read secrets
> it should not see" is not overly relevant.
> 
> 
> Now, for those newfangled stuff where vendors think that you MUST HAVE
> VIRTUALIZATION! on the control plane, so YOU CAN RUN STUFF THERE!!! -
> we do not have any of those (yet), but if we had, we'd ask them for
> hypervisor patches...
> 
> gert
> 
> 
> --
> now what should I write here...
> 
> Gert Doering - Munich, Germany g...@greenie.muc.de
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



signature.asc
Description: Message signed with OpenPGP
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [c-nsp] Meltdown and Spectre

[Gert Doering]

Hi,

On Sat, Jan 06, 2018 at 12:04:22PM +0100, james list wrote:
> For cve related to Meltdown and Spectre I'm wondering to know what are you
> doing or going to do on your networking gears?

"Nothing"...

My networking gear does not execute external code (like, JavaScript),
so the question "will untrusted external code be able to read secrets
it should not see" is not overly relevant.


Now, for those newfangled stuff where vendors think that you MUST HAVE
VIRTUALIZATION! on the control plane, so YOU CAN RUN STUFF THERE!!! - 
we do not have any of those (yet), but if we had, we'd ask them for
hypervisor patches...

gert


-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp