[j-nsp] Meltdown and Spectre
Ola Thoresen
ola at nytt.no
Mon Jan 8 06:15:47 EST 2018
On 08. jan. 2018 12:10, Saku Ytti wrote:
> On 8 January 2018 at 12:58, Benoit Plessis <b.plessis at doyousoft.com> wrote:
>
>> I can SCP any binary i want on any JunOS platform i own (EX,SRX,QFX),
>> QFX 5100 let you run arbitrary VM !
> Pretty sure Gert meant that the binaries need to be signed since maybe
> last 10years.
> But I think if you can configure the box, you can change rootPW, turn
> off signature verification and boot the box, unsure.
I don't think you can turn off signature verification.
"Juniper Networks routing platforms run only binaries supplied by
Juniper Networks, and currently do not support third-party binaries.
Each Junos OS image includes a digitally signed manifest of executables
that are registered with the system only if the signature can be
validated. Junos OS will not execute any binary without a registered
signature. This feature protects the system against unauthorized
software and activity that might compromise the integrity of your device."
https://www.juniper.net/documentation/en_US/junos/topics/concept/junos-one-software-overview.html
And for brewity. I just uploaded a pre-compiled version of "ls" to a
juniper device, and I am not allowed to run it.
> start shell
% chmod 755 /var/tmp/ls
% /var/tmp/ls
/var/tmp/ls: Authentication error.
You can run your own shell-scripts through /sbin/sh, but I do not think
that is enough to get any use out of these bugs:
% ./test.sh
./test.sh: Authentication error.
But:
% sh test.sh
Test
> At any rate, I think it's uninteresting and unimportant topic, if you
> can't trust people configuring your network, it's decidedly HR problem
> and no amount of code or hardware will fix that.
>
More information about the juniper-nsp
mailing list