Hacker News new | past | comments | ask | show | jobs | submit login
Multiple Severe Vulnerabilities Reported in Juniper Networks Hardware (juniper.net)
109 points by lgats 5 months ago | hide | past | web | favorite | 31 comments

'The affected SSHD configuration has the PermitEmptyPasswords option set to "yes".'


Honestly this not that odd. If you have local users with no password (not normal), and ssh exposed, you prob have bigger issues. Do agree tho, this is a stupid default and surprising it got past any sort of system hardening checklist.

iirc, OpenWRT also uses password-less root access via ssh by default and indeed, one might find these kind of configs in provisioning setups quite often. What are the options these days besides default user/pw? The (Plastic)Router from my ISP has this sticker on the back with a custom default pw for user access. Always wondered how this works.. probably somehow derived from MAC addresses and/or other factors.

The last time I checked the password-less root is on first setup with telnet, accessible only via LAN and with WIFI off.

The first thing it asks you to do is to set a password, before enabling SSH.

FreeBSD vulns or Junos introduced?

Mostly OpenSSH

It's a nice day to consider a Linux-based whitebox switch.

Fun fact, Arista switches are very lightly modified minimal Fedora installs with some fancy hardware. The entire userspace (literally all of it) is written in well done python and the magic is all in their asics. I got to RE their entire firmware as part of R&D at one of my previous employers.

Arista uses commodity ASICs which are programmed from specialized binary blobs running in a linux based userspace. This is the same thing linux whitebox switches do.

Sorry I should have better specified. The magic is in the asics that are programmed with their own proprietary magic, but most of the userspace is written in python, and it is relatively well written python.

The majority of the userspace is not in python, but binaries. None of the magic is in the asics (which are commodity Broadcom).

Sorry the majority of the troubleshooting and management bits are all in python. You can even get a bash shell on an Arista if you want. Quite nice hardware.

Don't they run on commodity Broadcom ASICs?

Modern network ASICs are highly-programmable devices. So you can implement a lot of magic on the same hardware as competitors.

It's really not one way or the other, but the software and hardware working together that's important.

[disclaimer: I am a former Arista employee. I did some of the "light" Fedora modifications.]

Did I get it wrong? One thing we found interesting is that we could run unmodified software directly on the switches so long as we built it for the AMD Athlons running on them.

Yes but then again, so do some Cisco switches nowadays. Arista's management team is former Cisco as well. There is a tangled legal history between the two companies, with Cisco claiming various patent infringements. So far as I know, none of the claims are hardware-related.

Previous poster claimed that all of the magic was hardware but I've always been told that it was in the software. HPE now seems to have some agreement with Arista.

Precisely my point. Cumulus, Canonical, Fedora - take your pick.

Ariana impressed me with their automated testing. Prices are very reasonable too.

Everyone has automated testing. What Arista doesn’t have is 20+ years of features (bloat).

I'd like to think they do, but Cisco and Juniper sales guys have been rather cagey on the scale of their testing.

As a customer of both Cisco and juniper for many years, I can surmise based on experience of their software quality that Cisco has terrible automated testing, and Juniper has less terrible but still terrible automated testing.

Both vendors have a lot of legacy code, so this is somewhat expected. Arista started with modern kernels and used modern development practices from the start.

Barracuda firewalls are similar: mostly vanilla Linux with a little magic.

That 'little' magic being specialized hardware packet processors that are programmed from proprietary programs running in Linux.

That way when a vulnerability is found in your control plane, there's no one to issue a bulletin, so no problem!

In other words, several other (non-friendly) countries have their own NSA. Live by the sword and all...

And those countries would not engage in surveillance if the US did not? You create a 2 country elementary payoff matrix for that game and tell everyone what the Nash equilibrium is.

Never said or meant to say that. Nations have spied and will spy on each other. Just suggested that Juniper had been pwned, it seems unlikely for 30 or so vulnerabilities to be disclosed at the same time otherwise.

What does your comment say when translated to the language of mere mortals? Asking for a friend

> And those countries would not engage in surveillance if the US did not?

A rhetorical question about whether other countries would spy on citizens if the US were to stop. (Hint, the answer is that they absolutely would continue).

> You create a 2 country elementary payoff matrix for that game and tell everyone what the Nash equilibrium is.

I think this is saying that there is nothing for other countries to gain by stopping surveillance programs, even if the US were to. This is the Nash equilibrium[1].

[1]: https://en.wikipedia.org/wiki/Nash_equilibrium

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact