Re: Spectre/Meltdown impact on network devices

[Denys Fedoryshchenko <denys () visp net lb>]

AFAIK, Meltdown/Spectre require access to some proper programming 
language and ability to run attacker own code.
If underprivileged user can't spawn shell on device or run some python 
code - i guess you are safe.

I guess people need to push support of vendors, for equipment who has 
programming languages/shell, to release statement about possibility of 
vulnerability.
As fixing require significant changes in "memory" operation model, i 
doubt they will do such thing, i guess in best case they will restrict 
access to insert
code under nonprivileged users (if it is allowed now).
For example, even old Cisco IOS has TCL, but logically under level 15, 
so i assume it is safe.

On 2018-01-07 21:02, Jean | ddostest.me via NANOG wrote:
> Hello,
>
> I'm curious to hear the impact on network devices of this new hardware
> flaws that everybody talk about. Yes, the Meltdown/Spectre flaws.
>
> I know that some Arista devices seem to use AMD chips and some say that
> they might be immune to one of these vulnerability. Still, it's 
> possible
> to spawn a bash shell in these and one with limited privileges could
> maybe find some BGP/Ospf/SNMP passwords. Maybe it's also possible to
> leak a full config.
>
> I understand that one need access but still it could be possible for 
> one
> to social engineer a NOC user, hijack the account with limited access
> and maybe run the "exploit".
>
> I know it's a lot of "if" and "maybe", but still I'm curious what is 
> the
> status of big networking systems? Are they vulnerable?
>
> Thanks
>
> Jean