[j-nsp] Meltdown and Spectre

Misak Khachatryan m.khachatryan at gnc.am
Mon Jan 8 06:45:55 EST 2018


Hi,

although i think this is theoretical only discussion, but

If JavaScript on a browser can do it, I think at least python script
will do it. And it's not a problem to run it.


Best regards,
Misak Khachatryan


On Mon, Jan 8, 2018 at 3:15 PM, Ola Thoresen <ola at nytt.no> wrote:
> On 08. jan. 2018 12:10, Saku Ytti wrote:
>
>> On 8 January 2018 at 12:58, Benoit Plessis <b.plessis at doyousoft.com> wrote:
>>
>>> I can SCP any binary i want on any JunOS platform i own (EX,SRX,QFX),
>>> QFX 5100 let you run arbitrary VM !
>> Pretty sure Gert meant that the binaries need to be signed since maybe
>> last 10years.
>> But I think if you can configure the box, you can change rootPW, turn
>> off signature verification and boot the box, unsure.
>
> I don't think you can turn off signature verification.
>
> "Juniper Networks routing platforms run only binaries supplied by
> Juniper Networks, and currently do not support third-party binaries.
> Each Junos OS image includes a digitally signed manifest of executables
> that are registered with the system only if the signature can be
> validated. Junos OS will not execute any binary without a registered
> signature. This feature protects the system against unauthorized
> software and activity that might compromise the integrity of your device."
>
> https://www.juniper.net/documentation/en_US/junos/topics/concept/junos-one-software-overview.html
>
> And for brewity.  I just uploaded a pre-compiled version of "ls" to a
> juniper device, and I am not allowed to run it.
>
>  > start shell
> % chmod 755 /var/tmp/ls
> % /var/tmp/ls
> /var/tmp/ls: Authentication error.
>
> You can run your own shell-scripts through /sbin/sh, but I do not think
> that is enough to get any use out of these bugs:
>
> % ./test.sh
> ./test.sh: Authentication error.
>
> But:
>
> % sh test.sh
> Test
>
>
>
>> At any rate, I think it's uninteresting and unimportant topic, if you
>> can't trust people configuring your network, it's decidedly HR problem
>> and no amount of code or hardware will fix that.
>>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list