[j-nsp] [c-nsp] Meltdown and Spectre

[Chuck Anderson]

Umm, you type the password into the box, right?  The box stores that password in memory so that it can build a TACACS+ request packet to send to the server?  Unless you are using SSH keys in lieu of passwords.

On Mon, Jan 08, 2018 at 05:16:01PM +0100, Sebastian Becker wrote:
> The password will not be seen on the box itself so no problem. The users are tacacs+ authorized/authenticated.
> Most scenarios are much easier to accomplish by using the already granted rights on the boxes per user then using these kinds of attack vectors opened by Meltdown and Spectre.
> 
> Our boxes simply do not run other code than that what is delivered by the vendors.
> 
> — 
> Sebastian Becker
> sb at lab.dtag.de
> 
> > Am 08.01.2018 um 09:32 schrieb Thilo Bangert <thilo.bangert at gmail.com>:
> > 
> > Den 06-01-2018 kl. 19:49 skrev Sebastian Becker:
> >> Same here. User that have access are implicit trusted.
> > 
> > You do have individual user accounts on the equipment, right?
> > 
> > The idea of having secure individual logins goes down the drain with Meltdown and Spectre. You want to be sure that a person logged into a box cannot snoop the password of a co-worker.
> > 
> > Meltdown and Spectre are relevant on all affected computing equipment.
> > 
> > > So no need for panic.
> > 
> > The usefulness of panic has been degrading the past couple of thousand years ;-)