[j-nsp] [c-nsp] Meltdown and Spectre
Chuck Anderson
cra at WPI.EDU
Mon Jan 8 12:11:21 EST 2018
Umm, you type the password into the box, right? The box stores that password in memory so that it can build a TACACS+ request packet to send to the server? Unless you are using SSH keys in lieu of passwords.
On Mon, Jan 08, 2018 at 05:16:01PM +0100, Sebastian Becker wrote:
> The password will not be seen on the box itself so no problem. The users are tacacs+ authorized/authenticated.
> Most scenarios are much easier to accomplish by using the already granted rights on the boxes per user then using these kinds of attack vectors opened by Meltdown and Spectre.
>
> Our boxes simply do not run other code than that what is delivered by the vendors.
>
> —
> Sebastian Becker
> sb at lab.dtag.de
>
> > Am 08.01.2018 um 09:32 schrieb Thilo Bangert <thilo.bangert at gmail.com>:
> >
> > Den 06-01-2018 kl. 19:49 skrev Sebastian Becker:
> >> Same here. User that have access are implicit trusted.
> >
> > You do have individual user accounts on the equipment, right?
> >
> > The idea of having secure individual logins goes down the drain with Meltdown and Spectre. You want to be sure that a person logged into a box cannot snoop the password of a co-worker.
> >
> > Meltdown and Spectre are relevant on all affected computing equipment.
> >
> > > So no need for panic.
> >
> > The usefulness of panic has been degrading the past couple of thousand years ;-)
More information about the juniper-nsp
mailing list