Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0118 SA161: Local Information Disclosure Due to Meltdown and Spectre Attacks 10 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Symantec Network Protection products Publisher: Symantec Operating System: Network Appliance Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 Reference: ASB-2018.0009 ASB-2018.0002.4 ESB-2018.0046 ESB-2018.0044 ESB-2018.0042 Original Bulletin: https://www.symantec.com/security-center/network-protection-security-advisories/SA161 - --------------------------BEGIN INCLUDED TEXT-------------------- SA161: Local Information Disclosure Due to Meltdown and Spectre Attacks Security Advisory ID: SA161 Published Date: Jan 08, 2018 Advisory Status: Interim Advisory Severity: Medium CVSS v2 base score: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N) CVE Number: CVE-2017-5715 - 4.7 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:N/A:N) CVE-2017-5753 - 4.7 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:N/A:N) CVE-2017-5754 - 4.7 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:N/A:N) Symantec Network Protection products, which run on an affected CPU chipset and execute arbitrary code from external sources, are susceptible to several information disclosure vulnerabilities (aka Meltdown and Spectre attacks). A remote attacker, with the ability to execute arbitrary code locally on the target, can obtain sensitive information from the memory spaces of the same userspace application, other userspace applications, the operating system, or a VM hypervisor. Affected Products: The following products are vulnerable: Content Analysis CA 2.1 and 2.2 are vulnerable to all CVEs when configured with on-box sandboxing. CA 1.3 uses affected CPU chipsets, but does not allow administrators to execute arbitrary code and is not vulnerable to known vectors of attack. Malware Analysis MA 4.2 is vulnerable to all CVEs. Security Analytics Security Analytics 7.1, 7.2, and 7.3 are vulnerable to all CVEs when a malicious administrator executes malicious code on the appliance. X-Series XOS XOS 9.7, 10.0, and 11.0 are vulnerable to all CVEs when a malicious administrator accesses the XOS diagnostics functionality and executes malicious code on the appliance. The following products use affected CPU chipsets, but do not allow administrators to execute arbitrary code and are not vulnerable to known vectors of attack: Advanced Secure Gateway CacheFlow (not affected by Meltdown) Director Mail Threat Defense Management Center Norman Shark Industrial Control System Protection PacketShaper PacketShaper S-Series PolicyCenter S-Series ProxyAV ProxySG (SG300, SG600, and SG9000 platforms are not affected by Meltdown) Reporter 10.1 SSL Visibility The following products run as userspace applications on customer-provided hardware platforms and operating systems. The vulnerabilities addressed in this security advisory are not present in our applications, but these applications can be targeted by an attacker if the underlying hardware platforms and operating systems are vulnerable: Android Mobile Agent AuthConnector BCAAA Client Connector Cloud Data Protection for Salesforce Cloud Data Protection for Salesforce Analytics Cloud Data Protection for ServiceNow Cloud Data Protection for Oracle CRM On Demand Cloud Data Protection for Oracle Field Service Cloud Cloud Data Protection for Oracle Sales Cloud Cloud Data Protection Integration Server Cloud Data Protection Communication Server Cloud Data Protection Policy Builder General Auth Connector Login Application HSM Agent for the Luna SP IntelligenceCenter IntelligenceCenter Data Collector K9 PolicyCenter ProxyClient ProxyAV ConLog and ConLogXP Reporter 9.5 Unified Agent Advisory Details: Symantec Network Protection products, which run on an affected CPU chipset and execute arbitrary code from external sources, are susceptible to several information disclosure vulnerabilities. The Meltdown attack (CVE-2017-5754) exploits an information disclosure vulnerability in CPU chipsets that support out-of-order execution. CPU chipsets from multiple vendors use out-of-order execution to improve instruction execution performance. Modern operating systems rely on memory isolation between userspace applications and the operating system kernel. If a userspace application attempts to access a memory location reserved for the operating system, the system triggers an exception. A CPU chipset supporting out-of-order execution may fetch sensitive data and store it in the CPU cache before detecting the exception. The data remains uncleared in the CPU cache, where a malicious userspace application can access it via side-channel analysis. The Meltdown attack also allows malicious userspace applications to access sensitive data from the memory spaces of other userspace applications. The Spectre attack (CVE-2017-5753 and CVE-2017-5715) exploits an information disclosure vulnerability in CPU chipsets that support speculative execution through branch prediction. CPU chipsets from multiple vendors use branch prediction to improve instruction execution performance. A malicious userspace application can obtain unauthorized access to sensitive data from the memory space of the same or a different userspace application by accessing data left uncleared in the CPU cache after speculatively executed CPU instructions. In one variant of the Spectre attack (CVE-2017-5753), the speculatively executed instructions follow an incorrect branch prediction. In a second variant (CVE-2017-5715), the instructions are loaded from the location of a mispredicted branch target. CVE-2017-5715 may also allow malicious code running as a guest in a virtual machine to obtain unauthorized access to sensitive data from the VM hypervisor memory. The vulnerabilities addressed in this security advisory are not present in Symantec Network Protection products that run as userspace applications, but these applications can be targeted by an attacker if the underlying hardware platforms and operating systems are vulnerable. Symantec urges our customers to contact their operating system and hardware platform vendors for Meltdown/Spectre vulnerability information and fixes. Patches: Content Analysis CA 2.2 - a fix is not available at this time. CA 2.1 - a fix is not available at this time. Malware Analysis MA 4.2 - a fix is not available at this time. Security Analytics Security Analytics 7.3 - a fix is not available at this time. Security Analytics 7.2 - a fix is not available at this time. Security Analytics 7.1 - a fix is not available at this time. X-Series XOS XOS 11.0 - a fix is not available at this time. XOS 10.0 - a fix is not available at this time. XOS 9.7 - a fix is not available at this time. References: Meltdown and Spectre - https://meltdownattack.com/ CERT Vulnerability Note VU#584653 - http://www.kb.cert.org/vuls/id/584653 CVE-2017-5715 - https://nvd.nist.gov/vuln/detail/CVE-2017-5715 CVE-2017-5753 - https://nvd.nist.gov/vuln/detail/CVE-2017-5753 CVE-2017-5754 - https://nvd.nist.gov/vuln/detail/CVE-2017-5754 Advisory History: 2018-01-09 PolicyCenter (non S-Series) and Reporter 9.5 run as userspace applications on customer-provided hardware platforms and operating systems. The vulnerabilities addressed in this security advisory are not present in these applications, but they can be targeted by an attacker if the underlying hardware platforms and operating systems are vulnerable. 2018-01-08 initial public release - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWlWySIx+lLeg9Ub1AQhAAw/+NNPqZkCfnUHHDRTBvPAeIR6uZlE2T7Ld XfQgv7dtsK3BIsaPkfLn6lpndtOh7zkgi7PoHBQoIeSQ1T4MOQxCEjOmxVsIEv5j 0KgPWqneEnMGnAu8OfJZc0nTfCJnoqhQ9yysxPVMWB/cMgmgYrN0zHFvfZJS5d3A ePndT5t/MJK7pLLpyImlr3P6tkEfc1+TU+sQFzLWcD4eGYivkSDo0Q0riWNvVI/l 3Gi4OvyK7SqWp3VATDTmhwvrud6Ex3pnf8YKo4qRe2OpXJ4SDSVtm2prCVFt2Bi+ SNSNNXowgqKO33wziUWheC+bOhlMRdV17b+n+unug7bHKwJshjx2mBgT1LFT8zEA BzDh5+v2blRBJc2HgYsiKkdbAy6+9RidFTj3gionBEJIweIIth5rHSKYSC5xX5pv wy1SNoHzWr4CFpH5P0qeQqx6wr8XVn8TQd9KGwkcLhtaOrIkyEeWfPYq2KlOxryH cuIvw1JNq+GYBWyBsZmQSkxglFbtPY7n6rnCFfLqIjjWs6Dnb3vDhMnGPZ9e/Y08 tKnoyk9va06OmqLD4tIGXRCWHJPp8yTvyGyn+LYNiMKnzTT6g+60cUgUJfkzY0jS YNDP/HSdME6hsMw4+KWu9x+GMo2+EKQXtkW+ouh7k1P+Y9/+oKwOS7FoiXrGgffO yQKamZM4aRg= =X0eU -----END PGP SIGNATURE-----