[NANOG] Re: JunOS and MX trojan and malware

[Pierre Emeriaud via NANOG <nanog () lists nanog org>]

Le dim. 16 mars 2025 à 02:44, Geoff Belknap via NANOG
<nanog () lists nanog org> a écrit :
> [...] Keep in mind how many
> network devices have quietly become linux or bsd devices running a control
> plane in a container (without exposing the underlying OS to operators
> directly). If a bad actor finds an exposed management service (that never
> happens, right?) how confident is everyone they'd know if that bad actor
> exploited the service and landed on the underlying host OS? Not the control
> plane, the baremetal OS. How confident are we that they couldn't exploit
> that position to search for and compromise more of the network?

This is something that I'm quite worried about. JunOS has veriexec,
which in itself is a useful piece of software, but the linux host has
not. Also, we have the issue of the base OS on linecards, such as
mpc7, 10 and lc9600. If you manage to get root on those, you are root
on the RE.

I've successfully ran adversary VMs on RE-x6 (or RSP5 for that
matter), haven't tried to make the service ports useful, but the IP
out-of-band interfaces (which IIRC are in a linux bridge) are
usable... Nice vantage point to pivot from.

XR is not any better, two VMs per card (LC/RSP), multiple containers,
not only the codebase is pretty huge (vulnerability management - what
a pain) but it's very easy to hide a piece of software wherever you
want.
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/K7JEE4IVXSMNAUFXM4HNFKD5XGRY7BPB/