[c-nsp] [j-nsp] Meltdown and Spectre

Peter Rathlev peter at rathlev.dk
Mon Jan 8 09:17:09 EST 2018


On Mon, 2018-01-08 at 10:01 +0100, Gert Doering wrote:
> On Mon, Jan 08, 2018 at 09:32:23AM +0100, Thilo Bangert wrote:
> > The idea of having secure individual logins goes down the drain
> > with Meltdown and Spectre. You want to be sure that a person logged
> > into a box cannot snoop the password of a co-worker.
> 
> Only if said person can execute *arbitrary* code.  Which you can't on
> my routers, no matter what sort of account I'm giving you.

I completely agree with the basic principle of your argument, and I am
not losing sleep over Meltdown or Spectre on any of our dumb routers
and switches and old firewalls, e.g. "proper" network equipment.

But... if Javascript can be used to exploit these things, then might
simple TCL scripting via EEM not also? If so, we implicitly trust the
people that are given the right to execute e.g. TCL on network
equipment.

Even if it were a problem, it should at least be simple for Cisco to
patch.

-- 
Peter



More information about the cisco-nsp mailing list