Cisco Security AdvisoryMedium
Advisory ID:
cisco-sa-20180104-cpusidechannel
First Published:
2018 January 4 22:20 GMT
Last Updated:
2018 January 9 20:20 GMT
Version 1.4:
Interim
Workarounds:
No workarounds available
CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
CVE-2017-5715
CVE-2017-5753
CVE-2017-5754
-
On January 3, 2018, researchers disclosed three vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged local attacker, in specific circumstances, to read privileged memory belonging to other processes or memory allocated to the operating system kernel.
The first two vulnerabilities, CVE-2017-5753 and CVE-2017-5715, are collectively known as Spectre, the third vulnerability, CVE-2017-5754, is known as Meltdown. The vulnerabilities are all variants of the same attack and differ in the way that speculative execution is exploited.
To exploit any of these vulnerabilities, an attacker must be able to run crafted code on an affected device. Although the underlying CPU and operating system combination in a product may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code on the device, and thus are not vulnerable. There is no vector to exploit them. Cisco devices are considered potentially vulnerable only if they allow customers to execute their customized code side-by-side with Cisco code on the same microprocessor.
A Cisco product that may be deployed as a virtual machine or a container, even while not being directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends customers harden their virtual environment and ensure that all security updates are installed.
Cisco will release software updates that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
-
Cisco is investigating its product line to determine which products may be affected by these vulnerabilities. As the investigation progresses, Cisco will update this advisory with information about affected products, including the Cisco bug ID for each affected product.
Any product not listed under the "Products Under Investigation" or "Vulnerable Products" section of this advisory is to be considered not vulnerable. The criteria for considering whether a product is vulnerable is explained in the "Summary" section of this advisory. As this is an ongoing investigation, please be aware that products considered not vulnerable may subsequently be considered vulnerable if additional information becomes available.
Products Under Investigation
Collaboration and Social Media
- Cisco Meeting Server
Network Application, Service, and Acceleration
- Cisco Cloud Services Platform 2100
- Cisco vBond Orchestrator
- Cisco vEdge 5000
- Cisco vEdge Cloud
- Cisco vManage NMS
- Cisco vSmart Controller
Routing and Switching - Enterprise and Service Provider
- Cisco 4000 Series Integrated Services Routers (IOS XE Open Service Containers)
- Cisco 4000 Series Integrated Services Routers (IOx feature)
- Cisco 500 Series WPAN Industrial Routers (IOx feature)
- Cisco ASR 1000 Series Aggregation Services Routers with RP2 or RP3 (IOS XE Open Service Containers)
- Cisco ASR 1001-HX Series Aggregation Services Routers (IOS XE Open Service Containers)
- Cisco ASR 1001-X Series Aggregation Services Routers (IOS XE Open Service Containers)
- Cisco ASR 1002-HX Series Aggregation Services Routers (IOS XE Open Service Containers)
- Cisco ASR 1002-X Series Aggregation Services Routers (IOS XE Open Service Containers)
- Cisco CGR 1000 Compute Module (IOx feature)
- Cisco Catalyst 9300 Series Switches (IOx feature)
- Cisco Catalyst 9400 Series Switches (IOx feature)
- Cisco Catalyst 9500 Series Switches (IOx feature)
- Cisco Cloud Services Router 1000V Series (IOS XE Open Service Containers)
- Cisco Industrial Ethernet 4000 Series Switches (IOx feature)
- Cisco Nexus 3000 Series Switches
- Cisco Nexus 4000 Series Blade Switches
- Cisco Nexus 5000 Series Switches
- Cisco Nexus 6000 Series Switches
- Cisco Nexus 7000 Series Switches
- Cisco Nexus 9000 Series Fabric Switches - ACI mode
- Cisco Nexus 9000 Series Switches - Standalone, NX-OS mode
Unified Computing
- Cisco UCS E-Series Servers
Vulnerable Products
The following table lists Cisco products that are affected by the vulnerabilities described in this advisory.
Product Cisco Bug ID Fixed Release Availability Network Application, Service, and Acceleration Cisco Wide Area Application Services (WAAS) CSCvh49646 Routing and Switching - Enterprise and Service Provider Cisco ASR 9000 XR 64-bit Series Routers CSCvh32429 Cisco 800 Industrial Integrated Services Routers CSCvh31418 Cisco NCS 1000 Series Routers CSCvh32429 Cisco NCS 5000 Series Routers CSCvh32429 Cisco NCS 5500 Series Routers CSCvh32429 Cisco XRv 9000 Series Routers CSCvh32429 Unified Computing Cisco UCS B-Series M2 Blade Servers CSCvh31576 Fix pending
Cisco UCS B-Series M3 Blade Servers CSCvg97965 (18-Feb-2018) Cisco UCS B-Series M4 Blade Servers (except B260 and B460) CSCvg97979 (18-Feb-2018) Cisco UCS B-Series M5 Blade Servers CSCvh31577 (18-Feb-2018) Cisco UCS B260 M4 Blade Server CSCvg98015 (18-Feb-2018)
Cisco UCS B460 M4 Blade Server CSCvg98015 (18-Feb-2018)
Cisco UCS C-Series M2 Rack Servers CSCvh31576 Fix pending
Cisco UCS C-Series M3 Rack Servers CSCvg97965 (18-Feb-2018) Cisco UCS C-Series M4 Rack Servers (except C460)1 CSCvg97979 (18-Feb-2018) Cisco UCS C-Series M5 Rack Servers1
CSCvh31577 (18-Feb-2018) Cisco UCS C460 M4 Rack Server CSCvg98015 (18-Feb-2018)
1 Cisco UCS M4 and M5 Rack Servers are used as part of the Cisco HyperFlex Solution.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following products:
Network Application, Service, and Acceleration
- Cisco vEdge 1000
- Cisco vEdge 100
- Cisco vEdge 2000
Routing and Switching - Enterprise and Service Provider
- Cisco 1000 Series Connected Grid Routers
- Cisco ASR 1001 Fixed Configuration Aggregation Services Router
- Cisco ASR 1002 Fixed Configuration Aggregation Services Router
- Cisco ASR 1002-F Fixed Configuration Aggregation Services Router
- Cisco Catalyst 3650 Series Switches
- Cisco Catalyst 3850 Series Switches
-
Details about the vulnerabilities are as follows.
Modern CPU Process Prediction Information Disclosure Vulnerability
A vulnerability due to the design of most modern CPUs could allow a local attacker to access sensitive information on a targeted system.
The vulnerability is due to improper implementation of the speculative execution of instructions by the affected software. This vulnerability can by triggered by utilizing branch target injection. An attacker could exploit this vulnerability by executing arbitrary code and performing a side-channel attack on a targeted system. A successful exploit could allow the attacker to read sensitive memory information.
This vulnerability has been assigned the following CVE ID: CVE-2017-5715
Modern CPU Process Branch Prediction Information Disclosure Vulnerability
A vulnerability due to the design of most modern CPUs could allow a local attacker to access sensitive information on a targeted system.
The vulnerability is due to improper implementation of the speculative execution of instructions by the affected software. This vulnerability can by triggered by performing a bounds check bypass. An attacker could exploit this vulnerability by executing arbitrary code and performing a side-channel attack on a targeted system. A successful exploit could allow the attacker to read sensitive memory information.
This vulnerability has been assigned the following CVE ID: CVE-2017-5753
Intel CPU Indirect Branch Prediction Information Disclosure Vulnerability
A vulnerability in Intel CPU hardware could allow a local attacker to gain access to sensitive information on a targeted system.
The vulnerability is due to side-channel attacks, which are also referred to as Meltdown attacks. A local attacker could exploit this vulnerability by executing arbitrary code on the affected system. A successful exploit could allow the attacker to gain access to sensitive information on the targeted system, including accessing memory from the CPU cache.
This vulnerability has been assigned the following CVE ID: CVE-2017-5754
-
Any workarounds will be documented in the product-specific Cisco bugs, which are accessible through the Cisco Bug Search Tool.
-
For information about fixed software releases, consult the Cisco bug ID(s) at the top of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
-
The vulnerabilities described in this advisory were discussed in several articles and discussion forums as of January 3, 2018.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerabilities that are described in this advisory.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.4 Updated information about products under investigation and vulnerable products. Affected Products, Vulnerable Products Interim 2018-January-09 1.3 Updated vulnerability details and information about products under investigation and products confirmed not vulnerable. Added the Vulnerable Products table, including information about fixed release availability. Affected Products, Vulnerable Products, Details, Fixed Software Interim 2018-January-08 1.2 Updated Summary and Products Under Investigation, added the Vulnerable Products table with information about fixes. Summary, Affected Products, Vulnerable Products, Fixed Software Interim 2018-January-05 1.1 Clarified the non-vulnerable product section. Products Confirmed Not Vulnerable Interim 2018-January-04 1.0 Initial public release. — Interim 2018-January-04
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.