Security Bulletin - Updates for microprocessors side channel analysis vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 (Meltdown/Spectre)
Security Bulletins ID:
SB10226
Last Modified: 2022-05-04 15:20:17 Etc/GMT
Last Modified: 2022-05-04 15:20:17 Etc/GMT
Summary
First Published: February 16, 2018
Article contents:
A set of three vulnerabilities disclosed by Intel® on January 3, 2018, named Meltdown and Spectre, impact our appliance products. Spectre includes CVE-2017-5715 and CVE-2017-5753, and Meltdown includes CVE-2017-5754.
Blog Posts:
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5715
CVE-2017-5753
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5753
CVE-2017-5754
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5754
Product Vulnerability Status
We produce several security appliances that ship with an operating system such as Linux or Windows and use Intel, AMD, or other modern processors. Meltdown impacts only Intel processors. Spectre impacts Intel, AMD, ARM, and other processors. For information regarding product update compatibility, see KB90167.
Updates that address CVE-2017-5753 and CVE-2017-5754 are available for certain products as shown in the Remediation table below. Updates for CVE-2017-5715 depend on updates to Intel microcode that are not yet available. We will update the status for these updates when the microcode is available.
Investigation into all products is ongoing. This Security Bulletin will be updated as additional information is available. Not every version of the "Vulnerable and Updated" products are vulnerable. See the Product Specific Notes section below for details. Products not on these lists or on the "No Vulnerabilities Reported" list are being investigated.
No Vulnerabilities Reported
Remediation
Go to the Product Downloads site and download the applicable product patch/hotfix files:
Download and Installation Instructions
For instructions to download product updates and hotfixes, see KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available on the Product Documentation site.
Product Specific Notes
Below is a list of appliances and their status.
ATD Appliances:
Physical Appliances
All versions of ATD (3.6, 3.8, 3.10, 4.0, 4.2) are impacted. ATD 4.2.2 and 4.0.6, released February 22, 2018, update the MLOS kernel to address the Meltdown vulnerability. We will address the Spectre vulnerability on ATD appliances in a future BIOS update. BIOS updates for ATD 3100 and ATD 6100 appliance models are expected to be available by end of March 2018.
Virtual Appliances:
All versions of ATD (3.6, 3.8, 3.10, 4.0, 4.2) are impacted. Also, the host system that has ATD VM running needs to be patched if the vulnerability impacts the system. ATD 4.2.2 and 4.0.6, released February 22, 2018, update the MLOS kernel to address the Meltdown vulnerability. We will address the Spectre vulnerability on ATD appliances via a future BIOS update. BIOS updates for ATD 3100 and ATD 6100 appliance models are expected to be available by end of March 2018.
We recommend that customers currently running ATD 3.6 and 3.8 first upgrade to latest ATD 4.0 software and then apply the updates with the vulnerability fix. Customers currently running ATD 4.0 or 4.2 need to apply the updates with the fix.
KB90207 contains ATD-specific information about these vulnerabilities.
Data Loss Prevention Appliances:
Network DLP 9.3.4
Network DLP 9.3.4 is vulnerable, but not exploitable. The Network DLP 9.3 appliance is a closed system - only the administrator has the option of uploading and executing untrusted code. Any untrusted code is executed with full system privileges so that attempts to exploit Meltdown or Spectre cannot enable access to additional information not already available to the administrator. As a best practice, we recommend that you use a strong password for authentication with Network DLP appliances. Also, place them in a DMZ with an external firewall that limits access to appliance IP addresses and ports.
Network DLP 10.x, 11.x
Vulnerable: The Meltdown/Spectre exploit is a local privilege escalation vulnerability. Network DLP Prevent and Monitor are vulnerable but not directly exploitable because Network DLP Prevent and Monitor do not run untrusted code. The risk is low given that another vulnerability would be needed to take advantage of Meltdown/Spectre.
A kernel update is available that mitigates the Spectre issue and fixes the Meltdown issue. Microcode updates from Intel (currently in beta) will be made available in a future release to complete the fix for the Spectre issue. The fix for these vulnerabilities introduces up to a 5% drop in performance on virtual appliances. Increase resource allocation to the virtual appliances by 5% to meet existing sizing requirements.
Email Appliances:
Email Gateway
Vulnerable: The Meltdown/Spectre exploit is a local privilege escalation vulnerability. Email Gateway is vulnerable but not directly exploitable because Email Gateway does not run untrusted code. The risk is low given that another vulnerability would be needed to take advantage of Meltdown/Spectre.
MVM Appliances:
MVM appliances use Microsoft Windows Server 2008 R2 and Intel processors, so they are vulnerable to these CVEs: CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. Install the Windows security update KB4056897 and any other relevant security updates on the appliances for mitigation.
Network/IPS Appliances:
NSP
NSP is vulnerable to Meltdown and Spectre. To exploit any of these vulnerabilities, an attacker must be able to run crafted code on the affected device.
NSP Sensor Hardware Appliances
All NSP Sensors are closed systems. They do not allow any remotely delivered code to execute on the device, nor users to execute code locally. Although the underlying CPU and kernel combination in these appliances might be classified as unpatched, the inability for local execution of malicious code makes them non-exploitable and effectively not vulnerable. There is no known vector to exploit them.
NSP Sensor Virtual Appliances
NSP Sensor Virtual Appliances follow the same rationale as the physical appliances. But, it is critical that the underlying system hosting the NSP VM is patched if its CPU exhibits either of the above vulnerabilities.
NSM Appliances
The NSM Windows Appliance is a general-purpose computer and can be classified as exploitable. The NSM Linux Appliance is a somewhat closed general-purpose computer and is classified as exploitable to a lesser extent. These appliances will receive an operating system update to remediate the vulnerabilities.
The following NSM hardware platforms are impacted.
Windows
Customer-provided Windows systems that run NSM software are also deemed exploitable and should be updated quickly. Install the Windows security update KB4056897 and any other relevant security updates on the appliances for mitigation. There is no update required for the NSM software itself.
NSM Clients
Customers are advised to review and apply any browser updates that mitigate/suppress the delivery of attacks associated with these vulnerabilities. See the guidance from the browser vendors.
NTBA Sensor Hardware Appliances
All Sensor Appliances are closed systems. They do not allow any remotely delivered code to execute on the device, nor users to execute it locally. Although the underlying CPU and kernel combination in these appliances might be classified as unpatched, the inability for local execution of malicious code make them non-exploitable and effectively not vulnerable. There is no known vector to exploit them.
SIEM Appliances:
SIEM
SIEM is a closed system. Unprivileged local users are not able to execute arbitrary code.
SIEM has shipped Kernel upgrades addressing CVE-2017-5753 and CVE-2017-5754. CVE-2017-5715 requires additional BIOS upgrades that are available for Gen4 and Gen5 hardware. For additional details, see KB91123.
TIE Server Appliances:
TIE Server
Vulnerable but low risk: This vulnerability is not directly exploitable in TIE Server because unprivileged local users are not able to execute arbitrary code, so another vulnerability would be needed to take advantage of Meltdown/Spectre. We recommend patching TIE Server appliances as described in the Remediation section. If the TIE Server is deployed as a virtual appliance, we recommend that the underlying system hosting the TIE Server VM be patched, if its CPU exhibits either of the above vulnerabilities.
Web Appliances:
WGCS / SWE
The underlying operating system of the Web Gateway Cloud Platform has been successfully patched to prevent exploiting the vulnerability.
WPS
The underlying operating system of the Web Gateway Cloud Platform has been successfully patched to prevent exploiting the vulnerability.
Web Gateway
Vulnerable: The impact of Meltdown/Spectre for Web Gateway appliances is a local privilege escalation that might allow reading kernel memory or memory from other processes. This scenario is not directly exploitable because Web Gateway does not run untrusted code, so another vulnerability would be needed to take advantage of Meltdown/Spectre. Given that configuration, the risk for Web Gateway is considered low.
Mitigations
NSM SigSet Detection
These vulnerabilities are host-specific. In theory, it might be possible to exploit hosts via the network (using JavaScript). Signature coverage for these vulnerabilities was made available via the signature set released on January 9, 2018.
Acknowledgements
These vulnerabilities were previously disclosed by The MITRE Corporation as CVEs.
Frequently Asked Questions (FAQs)
How do I know whether my product is vulnerable?
For Endpoint products:
Endpoint products are not affected. We recommend that customers apply operating system updates if available.
For ePO:
ePO is not affected. We recommend that customers apply operating system updates to the ePO server and ePO database server if available.
For Appliances:
Use the following instructions for Appliance-based products:
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: http://www.first.org/cvss/.
When calculating CVSS scores, we've adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.
What are the CVSS scoring metrics that have been used?
CVE-2017-5715 – Spectre
NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:T/RC:C
CVE-2017-5753 – Spectre
NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:T/RC:C
CVE-2017-5754 – Meltdown (Intel Processors)
NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:T/RC:C
Where can I find a list of all Security Bulletins?
All Security Bulletins are published on our Knowledge Center. Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life).
How do I report a product vulnerability to you?
If you have information about a security issue or vulnerability with a product, follow the instructions provided in KB95563 - Report a vulnerability.
How do you respond to this and any other reported security flaws?
Our key priority is the security of our customers. If a vulnerability is found within any of our software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan.
We only publish Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer.
To view our PSIRT policy, see KB95564 - About PSIRT.
Resources
Disclaimer
The information provided in this Security Bulletin is provided as is without warranty of any kind. We disclaim all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall we or our suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if we or our suppliers have been advised of the possibility of such damages. Some states don't allow the exclusion or limitation of liability for consequential or incidental damages, so the preceding limitation may not apply.
Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they shouldn't be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remain at our sole discretion and may be changed or canceled at any time.
| Impact of Vulnerability: | Data Leakage via Privilege Escalation (CWE-269) Privilege Escalation (CWE-274) |
||
| CVE Information: | |||
| CVE IDs | Severity Rating | CVSS v3 Base Score |
Affected Products |
| CVE-2017-5715 | Medium | 5.6 | Advanced Threat Defense (ATD) Data Exchange Layer (DXL) McAfee Active Response (MAR) Email Gateway MOVE Agentless MOVE Multi-platform Vulnerability Manager (MVM) Web Gateway Network Data Loss Prevention (NDLP) Network Security Manager (NSM) Appliances NSM Clients NSM Server Software Network Security Sensor (NSS) Hardware Appliances and Virtual Appliances Network Threat Behavior Analysis (NTBA) Sensor Hardware Appliances SIEM Threat Intelligence Exchange (TIE) Server Web Gateway Cloud Service (WGCS) SaaS Web Protection (SWP) Web Protection Service (WPS) |
| CVE-2017-5753 | Medium | 5.6 | ATD DXL MAR Email Gateway MOVE Agentless MOVE Multi-platform MVM Web Gateway NDLP NSM Appliances NSM Clients NSM Server Software NSS Hardware Appliances and Virtual Appliances NTBA Sensor Hardware Appliances SIEM TIE Server WGCS SWP WPS |
| CVE-2017-5754 | Medium | 5.6 | ATD DXL MAR Email Gateway MOVE Agentless MOVE Multi-platform MVM Web Gateway NDLP NSM Appliances NSM Clients NSM Server Software NSS Hardware Appliances and Virtual Appliances NTBA Sensor Hardware Appliances SIEM TIE Server WGCS SWP WPS |
| Highest CVSS v3 Base Score: | 5.6 (Medium) | ||
| Recommendations: | Deploy product updates as they are made available. | ||
| Security Bulletin Replacement: | None | ||
| Affected Software: | See the Product Vulnerability Status lists below. | ||
| Location of updated software: | Product Downloads site | ||
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Article contents:
- Vulnerability Description
- Product Vulnerability Status
- Remediation
- Product Specific Notes
- Mitigations
- Acknowledgements
- Frequently Asked Questions (FAQs)
- Resources
- Disclaimer
A set of three vulnerabilities disclosed by Intel® on January 3, 2018, named Meltdown and Spectre, impact our appliance products. Spectre includes CVE-2017-5715 and CVE-2017-5753, and Meltdown includes CVE-2017-5754.
Blog Posts:
- Decyphering the Noise Around 'Meltdown' and 'Spectre'
- Meltdown and Spectre 101: What to Know About the New Exploits
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5715
CVE-2017-5753
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5753
CVE-2017-5754
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5754
Product Vulnerability Status
We produce several security appliances that ship with an operating system such as Linux or Windows and use Intel, AMD, or other modern processors. Meltdown impacts only Intel processors. Spectre impacts Intel, AMD, ARM, and other processors. For information regarding product update compatibility, see KB90167.
Updates that address CVE-2017-5753 and CVE-2017-5754 are available for certain products as shown in the Remediation table below. Updates for CVE-2017-5715 depend on updates to Intel microcode that are not yet available. We will update the status for these updates when the microcode is available.
Investigation into all products is ongoing. This Security Bulletin will be updated as additional information is available. Not every version of the "Vulnerable and Updated" products are vulnerable. See the Product Specific Notes section below for details. Products not on these lists or on the "No Vulnerabilities Reported" list are being investigated.
| Update Availability | ||||
| Category | Product Acronym and Versions | CVE-2017-5715 (Spectre) | CVE-2017-5753 (Spectre) | CVE-2017-5754 (Meltdown) |
| Vulnerable and Updated |
ATD 4.x | No | No | February 22, 2018 |
| DXL 2.2, 3.x, 4.0 | April 5, 2018 | January 22, 2018 | January 22, 2018 | |
| MAR 2.2.0 | March 13, 2018 | March 13, 2018 | February 9, 2018 | |
| Email Gateway 7.6.x | Under Development | Under Development | May 8, 2018 | |
| MOVE Agentless 4.5.1 | No | February 13, 2018 | February 13, 2018 | |
| MOVE Multiplatform 4.6 | No | February 13, 2018 | February 13, 2018 | |
| NDLP 10.x, 11.x | No | February 15, 2018 | February 15, 2018 | |
| NSM Appliances | September 3, 2018 | September 3, 2018 | September 3, 2018 | |
| Web Gateway 7.8.1.x, 7.7.2.9 | March 13, 2018 | April 10, 2018 | January 30, 2018 | |
| Web Gateway 7.6.2.19 | No | No | January 30, 2018 | |
| SIEM 10.x | November 13, 2018 BIOS patch for Gen4 and Gen5 hardware available |
November 13, 2018 | November 13, 2018 | |
| SIEM 11.x | September 26, 2018 BIOS patch for Gen4 and Gen5 hardware available |
September 26, 2018 | September 26, 2018 | |
| TIE Server | March 15, 2018 | March 15, 2018 | March 1, 2018 | |
| Vulnerable but Low Risk |
ATD 3.x | Will Not be updated | Will Not be updated | Will Not be updated |
| NDLP 9.3.4 | Will Not be updated | Will Not be updated | Will Not be updated | |
| NSP Sensor Hardware Appliances | Will Not be updated | Will Not be updated | Will Not be updated | |
| NTBA Sensor Hardware Appliances | Will Not be updated | Will Not be updated | Will Not be updated | |
| Require OS/browser updates |
MVM | Confirm update availability with OS Vendor | Confirm update availability with OS Vendor | Confirm update availability with OS Vendor |
| NSM Clients | Confirm update availability with Browser Vendor | Confirm update availability with Browser Vendor | Confirm update availability with Browser Vendor | |
| NSM Server Software | Confirm update availability with OS Vendor | Confirm update availability with OS Vendor | Confirm update availability with OS Vendor | |
| NSP Sensor Virtual Appliances | Confirm update availability with Host OS Vendor | Confirm update availability with Host OS Vendor | Confirm update availability with Host OS Vendor | |
| Not Vulnerable |
Products that do not ship with an OS | Not Applicable | Not Applicable | Not Applicable |
| Services We've Patched |
WGCS / SWE | January 30, 2018 | January 30, 2018 | January 30, 2018 |
| WPS | January 30, 2018 | January 30, 2018 | January 30, 2018 | |
No Vulnerabilities Reported
- Data Loss Prevention Endpoint (DLP Endpoint) / Host Data Loss Prevention (HDLP)
- Endpoint Security (ENS)
- ePO Cloud / ToPS Server (TPS)
- ePolicy Orchestrator (ePO)
- Host Intrusion Prevention Services (Host IPS)
- McAfee Agent (MA)
- VirusScan Enterprise (VSE)
- VirusScan Enterprise for Storage (VSES)
Remediation
Go to the Product Downloads site and download the applicable product patch/hotfix files:
| Product | Versions | Type | Fixed Version | Release Date |
| ATD | 4.0 | Update | 4.0.6 | February 22, 2018 |
| ATD | 4.2 | Update | 4.2.2 | February 22, 2018 |
| DXL | 4.0.0 | Hotfix | HF 5 (build 4.0.0.454.1) | March 27, 2018 |
| DXL | 3.1.0 | Hotfix | HF 13 (build 3.1.0.630.1) | March 20, 2018 |
| DXL | 3.0.1 | Hotfix | HF 9 (build 3.0.1.217.6) | April 5, 2018 |
| DXL | 3.0.0 | Hotfix | HF 11 (build 3.0.0.390.3) | April 5, 2018 |
| DXL | 2.2.0 | Hotfix | HF 9 (build 2.2.0.274.3) | April 5, 2018 |
| NDLP | 11.x | Hotfix | 11.0.201 | February 15, 2018 |
| NDLP | 10.x | Hotfix | 10.0.301 | February 15, 2018 |
| NSP Appliances | 3.x | Hotfix | NSM_MLOS-3.5.0.9465_V1 Version 3.30 | September 3, 2018 |
| Email Gateway | 7.6.x | Hotfix | MEG-7.6.406h1252891-3484.101.zip | September 20, 2018 |
| MAR | 2.2.0 | Hotfix | 2.2.0.269 | March 13, 2018 |
| MOVE Agentless | 4.5.1 | Hotfix | HF 1224059 (build 4.5.1.302) | February 13, 2018 |
| MOVE Multiplatform | 4.6 | Hotfix | HF 1227059 (build 4.6.0.429) | February 13, 2018 |
| Web Gateway | 7.8.0.x | Update | 7.8.1.4 | April 10, 2018 |
| Web Gateway | 7.7.2.x | Update | 7.7.2.12 | April 10, 2018 |
| Web Gateway | 7.6.2.x | Update | 7.6.2.19 | February 13, 2018 |
| SIEM | 11.x | Update | 10.3.3 | November 13, 2018 |
| SIEM | 10.x | Update | 11.1.0 | September 26, 2018 |
| TIE | 2.1.1 | Hotfix | HF 3 (build 2.1.1.241) | March 15, 2018 |
Download and Installation Instructions
For instructions to download product updates and hotfixes, see KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available on the Product Documentation site.
Product Specific Notes
Below is a list of appliances and their status.
ATD Appliances:
Physical Appliances
All versions of ATD (3.6, 3.8, 3.10, 4.0, 4.2) are impacted. ATD 4.2.2 and 4.0.6, released February 22, 2018, update the MLOS kernel to address the Meltdown vulnerability. We will address the Spectre vulnerability on ATD appliances in a future BIOS update. BIOS updates for ATD 3100 and ATD 6100 appliance models are expected to be available by end of March 2018.
Virtual Appliances:
All versions of ATD (3.6, 3.8, 3.10, 4.0, 4.2) are impacted. Also, the host system that has ATD VM running needs to be patched if the vulnerability impacts the system. ATD 4.2.2 and 4.0.6, released February 22, 2018, update the MLOS kernel to address the Meltdown vulnerability. We will address the Spectre vulnerability on ATD appliances via a future BIOS update. BIOS updates for ATD 3100 and ATD 6100 appliance models are expected to be available by end of March 2018.
We recommend that customers currently running ATD 3.6 and 3.8 first upgrade to latest ATD 4.0 software and then apply the updates with the vulnerability fix. Customers currently running ATD 4.0 or 4.2 need to apply the updates with the fix.
KB90207 contains ATD-specific information about these vulnerabilities.
Data Loss Prevention Appliances:
Network DLP 9.3.4
Network DLP 9.3.4 is vulnerable, but not exploitable. The Network DLP 9.3 appliance is a closed system - only the administrator has the option of uploading and executing untrusted code. Any untrusted code is executed with full system privileges so that attempts to exploit Meltdown or Spectre cannot enable access to additional information not already available to the administrator. As a best practice, we recommend that you use a strong password for authentication with Network DLP appliances. Also, place them in a DMZ with an external firewall that limits access to appliance IP addresses and ports.
Network DLP 10.x, 11.x
Vulnerable: The Meltdown/Spectre exploit is a local privilege escalation vulnerability. Network DLP Prevent and Monitor are vulnerable but not directly exploitable because Network DLP Prevent and Monitor do not run untrusted code. The risk is low given that another vulnerability would be needed to take advantage of Meltdown/Spectre.
A kernel update is available that mitigates the Spectre issue and fixes the Meltdown issue. Microcode updates from Intel (currently in beta) will be made available in a future release to complete the fix for the Spectre issue. The fix for these vulnerabilities introduces up to a 5% drop in performance on virtual appliances. Increase resource allocation to the virtual appliances by 5% to meet existing sizing requirements.
Email Appliances:
Email Gateway
Vulnerable: The Meltdown/Spectre exploit is a local privilege escalation vulnerability. Email Gateway is vulnerable but not directly exploitable because Email Gateway does not run untrusted code. The risk is low given that another vulnerability would be needed to take advantage of Meltdown/Spectre.
MVM Appliances:
MVM appliances use Microsoft Windows Server 2008 R2 and Intel processors, so they are vulnerable to these CVEs: CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. Install the Windows security update KB4056897 and any other relevant security updates on the appliances for mitigation.
Network/IPS Appliances:
NSP
NSP is vulnerable to Meltdown and Spectre. To exploit any of these vulnerabilities, an attacker must be able to run crafted code on the affected device.
NSP Sensor Hardware Appliances
All NSP Sensors are closed systems. They do not allow any remotely delivered code to execute on the device, nor users to execute code locally. Although the underlying CPU and kernel combination in these appliances might be classified as unpatched, the inability for local execution of malicious code makes them non-exploitable and effectively not vulnerable. There is no known vector to exploit them.
NSP Sensor Virtual Appliances
NSP Sensor Virtual Appliances follow the same rationale as the physical appliances. But, it is critical that the underlying system hosting the NSP VM is patched if its CPU exhibits either of the above vulnerabilities.
NSM Appliances
The NSM Windows Appliance is a general-purpose computer and can be classified as exploitable. The NSM Linux Appliance is a somewhat closed general-purpose computer and is classified as exploitable to a lesser extent. These appliances will receive an operating system update to remediate the vulnerabilities.
The following NSM hardware platforms are impacted.
Windows
- NSM-GLBL-NG (GLBL, MFE Network Sec Glbl Manager Appl-NG)
- NSM-STND-NG (STND, MFE Network Sec Manager Appl-NG)
- NSM-STND-NG-FO (FAOV, MFE Network Sec Manager FO Appl-NG)
- NSM-STND-NG-UP (AUPG, MFE Network Sec Manager UPG Appl-NG)
- NSM-MAPL-NG (NSM, MFE Network Security Manager Appl NG)
Customer-provided Windows systems that run NSM software are also deemed exploitable and should be updated quickly. Install the Windows security update KB4056897 and any other relevant security updates on the appliances for mitigation. There is no update required for the NSM software itself.
NSM Clients
Customers are advised to review and apply any browser updates that mitigate/suppress the delivery of attacks associated with these vulnerabilities. See the guidance from the browser vendors.
NTBA Sensor Hardware Appliances
All Sensor Appliances are closed systems. They do not allow any remotely delivered code to execute on the device, nor users to execute it locally. Although the underlying CPU and kernel combination in these appliances might be classified as unpatched, the inability for local execution of malicious code make them non-exploitable and effectively not vulnerable. There is no known vector to exploit them.
SIEM Appliances:
SIEM
SIEM is a closed system. Unprivileged local users are not able to execute arbitrary code.
SIEM has shipped Kernel upgrades addressing CVE-2017-5753 and CVE-2017-5754. CVE-2017-5715 requires additional BIOS upgrades that are available for Gen4 and Gen5 hardware. For additional details, see KB91123.
TIE Server Appliances:
TIE Server
Vulnerable but low risk: This vulnerability is not directly exploitable in TIE Server because unprivileged local users are not able to execute arbitrary code, so another vulnerability would be needed to take advantage of Meltdown/Spectre. We recommend patching TIE Server appliances as described in the Remediation section. If the TIE Server is deployed as a virtual appliance, we recommend that the underlying system hosting the TIE Server VM be patched, if its CPU exhibits either of the above vulnerabilities.
Web Appliances:
WGCS / SWE
The underlying operating system of the Web Gateway Cloud Platform has been successfully patched to prevent exploiting the vulnerability.
WPS
The underlying operating system of the Web Gateway Cloud Platform has been successfully patched to prevent exploiting the vulnerability.
Web Gateway
Vulnerable: The impact of Meltdown/Spectre for Web Gateway appliances is a local privilege escalation that might allow reading kernel memory or memory from other processes. This scenario is not directly exploitable because Web Gateway does not run untrusted code, so another vulnerability would be needed to take advantage of Meltdown/Spectre. Given that configuration, the risk for Web Gateway is considered low.
Mitigations
NSM SigSet Detection
These vulnerabilities are host-specific. In theory, it might be possible to exploit hosts via the network (using JavaScript). Signature coverage for these vulnerabilities was made available via the signature set released on January 9, 2018.
Acknowledgements
These vulnerabilities were previously disclosed by The MITRE Corporation as CVEs.
Frequently Asked Questions (FAQs)
How do I know whether my product is vulnerable?
For Endpoint products:
Endpoint products are not affected. We recommend that customers apply operating system updates if available.
For ePO:
ePO is not affected. We recommend that customers apply operating system updates to the ePO server and ePO database server if available.
For Appliances:
Use the following instructions for Appliance-based products:
- Open the Administrator's User Interface (UI).
- Click the About link. The product version is displayed.
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: http://www.first.org/cvss/.
When calculating CVSS scores, we've adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.
What are the CVSS scoring metrics that have been used?
CVE-2017-5715 – Spectre
| Base Score | 5.6 |
| Attack Vector (AV) | Local (L) |
| Attack Complexity (AC) | High (H) |
| Privileges Required (PR) | Low (L) |
| User Interaction (UI) | None (N) |
| Scope (S) | Changed (C) |
| Confidentiality (C) | High (H) |
| Integrity (I) | None (N) |
| Availability (A) | None (N) |
| Temporal Score (Overall) | 5.1 |
| Exploitability (E) | Proof-of-Concept (P) |
| Remediation Level (RL) | Temporary Fix (T) |
| Report Confidence (RC) | Confirmed (C) |
NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:T/RC:C
CVE-2017-5753 – Spectre
| Base Score | 5.6 |
| Attack Vector (AV) | Local (L) |
| Attack Complexity (AC) | High (H) |
| Privileges Required (PR) | Low (L) |
| User Interaction (UI) | None (N) |
| Scope (S) | Changed (C) |
| Confidentiality (C) | High (H) |
| Integrity (I) | None (N) |
| Availability (A) | None (N) |
| Temporal Score (Overall) | 5.1 |
| Exploitability (E) | Proof-of-Concept (P) |
| Remediation Level (RL) | Temporary Fix (T) |
| Report Confidence (RC) | Confirmed (C) |
NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:T/RC:C
CVE-2017-5754 – Meltdown (Intel Processors)
| Base Score | 5.6 |
| Attack Vector (AV) | Local (L) |
| Attack Complexity (AC) | High (H) |
| Privileges Required (PR) | Low (L) |
| User Interaction (UI) | None (N) |
| Scope (S) | Changed (C) |
| Confidentiality (C) | High (H) |
| Integrity (I) | None (N) |
| Availability (A) | None (N) |
| Temporal Score (Overall) | 5.1 |
| Exploitability (E) | Proof-of-Concept (P) |
| Remediation Level (RL) | Temporary Fix (T) |
| Report Confidence (RC) | Confirmed (C) |
NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:T/RC:C
Where can I find a list of all Security Bulletins?
All Security Bulletins are published on our Knowledge Center. Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life).
How do I report a product vulnerability to you?
If you have information about a security issue or vulnerability with a product, follow the instructions provided in KB95563 - Report a vulnerability.
How do you respond to this and any other reported security flaws?
Our key priority is the security of our customers. If a vulnerability is found within any of our software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan.
We only publish Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer.
To view our PSIRT policy, see KB95564 - About PSIRT.
Resources
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Disclaimer
The information provided in this Security Bulletin is provided as is without warranty of any kind. We disclaim all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall we or our suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if we or our suppliers have been advised of the possibility of such damages. Some states don't allow the exclusion or limitation of liability for consequential or incidental damages, so the preceding limitation may not apply.
Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they shouldn't be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remain at our sole discretion and may be changed or canceled at any time.
