Operating System:

[Win]

Published:

05 June 2019

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2013
           SYMSA1426-SA161: Local Information Disclosure Due to
                       Meltdown and Spectre Attacks
                                5 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Symantec products
Publisher:         Symantec
Operating System:  Windows
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5754 CVE-2017-5753 CVE-2017-5715

Reference:         ASB-2019.0109
                   ASB-2018.0295
                   ESB-2019.1926
                   ESB-2019.1899

Original Bulletin: 
   http://support.symantec.com/content/unifiedweb/en_US/article.SYMSA1426.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Advisory ID SYMSA1426
Initial Publication Date:  8 Jan 2018
Advisory Status:           Open
Advisory Severity:         Medium
CVSS Base Score:           CVSS v2: 4.7
Legacy ID:                 SA161

Summary

Affected Products

The following products are vulnerable. All hardware platforms are affected
unless specified otherwise :

+-----------------------------------------------------------------+
|                      Content Analysis (CA)                      |
+--------+-------------------+------------------------------------+
|  CVE   |Affected Version(s)|Remediation                         |
+--------+-------------------+------------------------------------+
|        |2.3                |Not available at this time          |
|        +-------------------+------------------------------------+
|All CVEs|2.2                |Upgrade to later release with fixes.|
|        +-------------------+------------------------------------+
|        |2.1                |Upgrade to later release with fixes.|
+--------+-------------------+------------------------------------+

+-------------------------------------------------------+
|                 Malware Analysis (MA)                 |
+--------+-------------------+--------------------------+
|  CVE   |Affected Version(s)|Remediation               |
+--------+-------------------+--------------------------+
|All CVEs|4.2                |Not available at this time|
+--------+-------------------+--------------------------+

+-----------------------------------------------------------------+
|                       Security Analytics                        |
+--------+-------------------+------------------------------------+
|  CVE   |Affected Version(s)|Remediation                         |
+--------+-------------------+------------------------------------+
|        |8.0                |Not vulnerable, fixed in 8.0.1.     |
|        +-------------------+------------------------------------+
|        |7.3                |Upgrade to 7.3.3.                   |
|All CVEs+-------------------+------------------------------------+
|        |7.2                |Upgrade to later release with fixes.|
|        +-------------------+------------------------------------+
|        |7.1                |Upgrade to later release with fixes.|
+--------+-------------------+------------------------------------+

+-----------------------------------------------------------------+
|                          X-Series XOS                           |
+--------+-------------------+------------------------------------+
|  CVE   |Affected Version(s)|Remediation                         |
+--------+-------------------+------------------------------------+
|        |11.0               |Not available at this time          |
|        +-------------------+------------------------------------+
|All CVEs|10.0               |Upgrade to later release with fixes.|
|        +-------------------+------------------------------------+
|        |9.7                |Upgrade to later release with fixes.|
+--------+-------------------+------------------------------------+

Additional Product Information

Content Analysis (CA) is only vulnerable when configured with on-box
sandboxing.

Security Analytics is only vulnerable when an administrator user executes
malicious code on the appliance.

X-Series XOS is only vulnerable when an administrator user accesses the XOS
diagnostics functionality and executes malicious code on the appliance. The
NPM-8620 (standalone and in X20 chassis), NPM-8650, and NPM-9600 platforms are
not affected.

The following products use affected CPU chipsets, but do not allow
administrators to execute arbitrary code and are not vulnerable to known
vectors of attack:
Advanced Secure Gateway
CacheFlow (CF5000-CX and CF5000-MX platforms are not affected by Meltdown)
Content Analysis 1.3
Director
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter S-Series
ProxyAV
ProxySG (SG300, SG600, and SG9000 platforms are not affected by Meltdown)
Reporter 10.1
SSL Visibility

The following products run as userspace applications on customer-provided
hardware platforms and operating systems. The vulnerabilities addressed in this
security advisory are not present in our applications, but these applications
can be targeted by an attacker if the underlying hardware platforms and
operating systems are vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PolicyCenter
ProxyClient
ProxyAV ConLog and ConLogXP
Reporter 9.5
Unified Agent

Issues

+--------------------------------------------------------------------------------------------------------------------------------------+
|                                                  CVE-2017-5715 (Spectre variant 2)                                                   |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|Severity / |Medium / 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)                                                                                 |
|  CVSSv2   |                                                                                                                          |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|References |SecurityFocus: BID 102376 / NVD: CVE-2017-5715                                                                            |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|  Impact   |Information disclosure                                                                                                    |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|           |Spectre variant 2 exploits an information disclosure vulnerability in CPU                                                 |
|           |chipsets that support speculative execution through branch prediction. A                                                  |
|           |malicious userspace application can obtain unauthorized access to sensitive                                               |
|Description|data from the memory space of the same or a different userspace application by                                            |
|           |accessing data left uncleared in the CPU cache after speculatively executed CPU                                           |
|           |instructions loaded due to a mispredicted branch target. The attack may also                                              |
|           |allow malicious code running as a guest in a virtual machine to obtain                                                    |
|           |unauthorized access to sensitive data from the VM hypervisor memory.                                                      |
+-----------+--------------------------------------------------------------------------------------------------------------------------+

+--------------------------------------------------------------------------------------------------------------------------------------+
|                                                  CVE-2017-5753 (Spectre variant 1)                                                   |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|Severity / |Medium / 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)                                                                                 |
|  CVSSv2   |                                                                                                                          |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|References |SecurityFocus: BID 102371 / NVD: CVE-2017-5753                                                                            |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|  Impact   |Information disclosure                                                                                                    |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|           |Spectre variant 1 exploits an information disclosure vulnerability in CPU                                                 |
|           |chipsets that support speculative execution through branch prediction. A                                                  |
|Description|malicious userspace application can obtain unauthorized access to sensitive                                               |
|           |data from the memory space of the same or a different userspace application by                                            |
|           |accessing data left uncleared in the CPU cache after speculatively executed CPU                                           |
|           |instructions loaded due to an incorrect brant prediction.                                                                 |
+-----------+--------------------------------------------------------------------------------------------------------------------------+

+--------------------------------------------------------------------------------------------------------------------------------------+
|                                                       CVE-2017-5754 (Meltdown)                                                       |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|Severity / |Medium / 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)                                                                                 |
|  CVSSv2   |                                                                                                                          |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|References |SecurityFocus: BID 102378 / NVD: CVE-2017-5754                                                                            |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|  Impact   |Information disclosure                                                                                                    |
+-----------+--------------------------------------------------------------------------------------------------------------------------+
|           |The Meltdown attack exploits an information disclosure vulnerability in CPU                                               |
|           |chipsets that support out-of-order execution. It allows a malicious userspace                                             |
|           |application to access sensitive information from the kernel memory spaces or                                              |
|           |from the memory spaces of another userspace application. If a userspace                                                   |
|Description|application attempts to access a memory location reserved for the operating                                               |
|           |system, the system triggers an exception. A CPU chipset supporting out-of-order                                           |
|           |execution may fetch sensitive data and store it in the CPU cache before                                                   |
|           |detecting the exception. The data remains uncleared in the CPU cache, where a                                             |
|           |malicious userspace application can access it via side-channel analysis.                                                  |
+-----------+--------------------------------------------------------------------------------------------------------------------------+

References

Meltdown and Spectre - https://meltdownattack.com/
CERT Vulnerability Note VU#584653 - https://www.kb.cert.org/vuls/id/584653

Revisions

2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.3. Security
Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later
version with the vulnerability fixes.
2018-04-22 CA 2.3 is vulnerable.
2018-04-01 All hardware platforms are affected unless specified otherwise in
the Affected Products section.
2018-01-09 PolicyCenter (non S-Series) and Reporter 9.5 run as userspace
applications on customer-provided hardware platforms and operating systems. The
vulnerabilities addressed in this security advisory are not present in these
applications, but they can be targeted by an attacker if the underlying
hardware platforms and operating systems are vulnerable.
2018-01-08 initial public release

Legacy ID

SA161

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXPcwAGaOgq3Tt24GAQh9Dw/+IWejBfLIstXWZ/lyN7t9MhFENCp1tlfC
iKb6nPxfO42g9d+IEgGwvYA2oCi0xGMKGR/BHWlVPYpCMUIlUWU0Lad12tD8MT2X
R49L9pmo3Z9tgRulLQW9/AbRI2Mog+V88ZrnRd47crFP2YrbpzLiowmOAB/uNfSd
tXtAljovG8E5v6HIbmUHV/YalOfitPLvUrqSLZKEPAq47D4SUwgOlI8e8gpCgxGM
XQws1uvKhT0naHi5d0UX+rW8zheUTyG2IFEYHN6z/TLIoNA3764VHqC7Cf3bwjZt
4P99WAv/v+3LNXKvOVyzsHPg83rjrVgLD4U5vnUAh1Du2z7oM50hvtM/VPOIQKiO
TQaUYyqQAEXOagjXKTTn7gKt3SttGnAVZ9HveFVZsPuqV8fFr5e4ijN1ORi8WtTd
pRDWVr949d931c0nRbJDtlpaSzfKEP0nP+DAFiGkGVbPer0YSq/81pcq3/+VwVeV
MrFhmnr4HiOHduqJaJYBOgMlWrJhpuQOQWPpUduyW24G4Ezcxi0pnkVjczNdAejK
ChuYbIzmTeOWhThl4bj1Dvve8oDH2iY3POS2yu+TB9rQTjhkKKE0ySVIDwHzj93b
BrOpzsNgOfJCV6DkQlWOdf3c9n0tsfKTRdGCKl/iHS3Lftsp9uGx0CEsLtCP/nfw
CYh85aEr96A=
=p3oT
-----END PGP SIGNATURE-----