[167886] in North American Network Operators' Group
Re: NSA able to compromise Cisco, Juniper, Huawei switches
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Dec 31 11:58:05 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20131231165011.GA24355@pob.ytti.fi>
Date: Tue, 31 Dec 2013 11:57:15 -0500
To: Saku Ytti <saku@ytti.fi>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 31, 2013, at 11:50 AM, Saku Ytti <saku@ytti.fi> wrote:
> I asked earlier today JTAC (#2013-1231-0033) and JTAC asked SIRT for =
tool to
> read BIOS and output SHA2 or SHA3 hash, and such tool does not exist =
yet. I'm
> dubious, it might be possible even with existing tools. At least it's =
possible
> to reflash the BIOS with stock JunOS, as lot of us had to do due to
> misformatted SSD disks.
> But fully agreed some of these sanity checks should be added, it's not =
cure
> all, maybe the attack changes the answers before showing them, maybe =
BIOS
> comes infected from Juniper or from Kontron. But it would create =
additional
> barrier.
>=20
> I also emailed Kontrol and told it would be prudent for them to do =
press
> release also. Just to know what their public/official statement is.
Most of the vendors (I think Cisco/Juniper) have many of their staff out =
on vacation this week. I believe both are doing the "mandatory =
shutdown" or similar that I've seen other folks do around this season. =
Arbor networks did something similar as well this year.
If you are looking at your hardware, you can get inexpensive flash =
readers/writers out there. I have one I use when doing low level =
hardware work.
There's also tools for your servers (eg: Flashrom) which are available =
in your favorite repos/ports/elsewhere and work on Linux/FreeBSD/others.
You can use this to typically read/checksum your bios quickly on =
supported hardware. I'm sure they would love to have the efforts that =
have gone into this e-mail thread followed-up with =
hardware/research/contributions to improve the software.
It shouldn't be too hard for you to read your bios and load it into ida =
pro or similar to perform checks.
- Jared=
