Le dim. 16 mars 2025 à 02:44, Geoff Belknap via NANOG <[email protected]> a écrit : > > [...] Keep in mind how many > network devices have quietly become linux or bsd devices running a control > plane in a container (without exposing the underlying OS to operators > directly). If a bad actor finds an exposed management service (that never > happens, right?) how confident is everyone they'd know if that bad actor > exploited the service and landed on the underlying host OS? Not the control > plane, the baremetal OS. How confident are we that they couldn't exploit > that position to search for and compromise more of the network?
This is something that I'm quite worried about. JunOS has veriexec, which in itself is a useful piece of software, but the linux host has not. Also, we have the issue of the base OS on linecards, such as mpc7, 10 and lc9600. If you manage to get root on those, you are root on the RE. I've successfully ran adversary VMs on RE-x6 (or RSP5 for that matter), haven't tried to make the service ports useful, but the IP out-of-band interfaces (which IIRC are in a linux bridge) are usable... Nice vantage point to pivot from. XR is not any better, two VMs per card (LC/RSP), multiple containers, not only the codebase is pretty huge (vulnerability management - what a pain) but it's very easy to hide a piece of software wherever you want. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/K7JEE4IVXSMNAUFXM4HNFKD5XGRY7BPB/
