SPECTRE/MELTDOWN - CVE-2017-5715/5753/5754

Friday, January 5, 2018
Wednesday, April 4, 2018
Summary 

On January 3, 2018, researchers disclosed security vulnerabilities known commonly in the industry as Spectre [4] and Meltdown [5], and which have been assigned the following CVEs:

Item # Vulnerability ID Score Source Score Summary
1 CVE-2017-5715 CVSS 3.0 5.6 Med Speculative execution branch target injection (Spectre) [1]
2 CVE-2017-5753 CVSS 3.0 5.6 Med Speculative execution bounds-check bypass (Spectre) [2]
3 CVE-2017-5754 CVSS 3.0 5.6 Med Speculative execution permission faults handling (Meltdown) [3]

 

These vulnerabilities take advantage of implementations for the speculative execution of instructions on most (if not all) modern processors and Operating Systems (OSs), including those supported by A10 products. They could allow an unprivileged attacker, in specific circumstances, to read privileged memory belonging to other processes or memory allocated to the Operating System (OS) kernel. To successfully exploit these weaknesses and gain access to restricted memory, an attack requires the execution of crafted, custom code on the target device or system.

ACOS products that support the External Health Monitor feature are potentially exposed to misuse of the feature by malicious, Read-Write privileged administrators. Accordingly, A10 recommends limiting access to such critical infrastructure networking equipment to only trusted administrators from trusted administrative networks and hosts as a defense against active exploit of these vulnerabilities and to ensure that only code fully-trusted by the customer is deployed to these products.

A10 products and release families that support this ACOS feature and warrant these administrative considerations include:

Thunder and vThunder ADC, CGN, SSLi, CFW ACOS (4.1.2, 4.1.1, 4.1.0)
Thunder, vThunder, and AX ADC ACOS (2.7.2, 2.7.1-GR1, 2.6.1-GR1)
Thunder and AX CGN ACOS (2.8.2)

 

A10 aGalaxy and other ACOS products do not support this feature and are accordingly unaffected by these vulnerabilities. These products include:

Thunder TPS ACOS (3.0, 3.1, 3.2)
aGalaxy TPS Centralized Mgmt aGalaxy (3.2)
aGalaxy 5000 TPS Centralized Mgmt aGalaxy (3.2)
aGalaxy ADC Centralized Mgmt aGalaxy (3.0)

 

For all virtualized A10 products, including ACOS vThunder, A10 recommends that customers ensure that their Host-OSs (hypervisors) are updated as necessary to address these vulnerabilities and that their underlying platforms have corresponding, appropriate firmware updates.

In addition, for A10 Lightning ADC and Harmony Controller virtualized products, root-level access to the Local OS shell and Container Management System (CMS) software is available to product administrators. A10 recommends that only trusted administrators likewise be allowed access to these root-level, privileged services to ensure that malicious code which could exploit these vulnerabilities does not enter or become established in virtual instances of these products.

For A10 Harmony Controller Appliance and Hybrid Virtual Appliance products, root-level access to the Host OS shell is also available to product administrators. A10 additionally recommends that only trusted administrators likewise be allowed access to this service to ensure that potentially malicious code from untrusted parties does not become instantiated in these appliances.

To improve the ability of customers to manage ACOS devices, in light of these issues and others like them in the future, A10 will harden and enhance ACOS configuration and management capabilities for this feature as described in the Affected Releases section below.

A10 continues to investigate the Spectre and Meltdown vulnerabilities for further potential impacts and will update this advisory as additional information becomes available. As this investigation proceeds, A10 PSIRT looks forward to feedback and questions on these issues. Customers and partners are welcome to contact the A10 Technical Assistance Center (TAC) or their A10 Sales Representatives. Others are invited to contact A10 PSIRT via email.

Affected Releases

The table below indicates releases of A10 products potentially exposed to misuse of this ACOS configuration management feature by malicious, Read-Write privileged administrators and releases that will harden and enhance ACOS configuration management for this feature.

Customers using potentially exposed releases can update ACOS to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no release update is currently available or anticipated.

Releases AffectedReleases Resolved or Unaffected

4.1.4

4.1.4-P1 (a)

4.1.2 - 4.1.2-P3

4.1.2-P4 (a)

4.1.1- 4.1.1-P7

4.1.1-P8 (a)

4.1.0 – 4.1.0-P11

4.1.0-P12 (a)

4.0.0 - 4.0.3-P4

4.1.0-P11 (a), 4.1.1-P8 (a), 4.1.2-P4 (a)

2.8.2 - 2.8.2-P9

2.8.2-P10 (a)

2.7.2 - 2.7.2-P11

2.7.2-P12 (a)

2.7.1-GR1 - 2.7.1-GR1-P3

2.7.1-GR1-P4 (a)

2.6.1-GR1 - 2.6.1-GR1-P16

2.7.1-GR1-P4 (a), 4.1.0-P11 (a), 4.1.1-P8 (a), 4.1.2-P4 (a)

(a) Tentatively Planned.

Workarounds and Mitigations 

Recommended practices for the administration of A10 products are described in the Summary section above regarding these vulnerabilities.

Software Updates 

Software updates that address these vulnerabilities are or will be published at the following URL:
https://www.a10networks.com/support/axseries/software-downloads

Vulnerability Details

The following table shares brief descriptions for the vulnerabilities addressed in this document.

Vulnerability IDVulnerability Description
CVE-2017-5715

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVE-2017-5753

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVE-2017-5754

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

Acknowledgements 

None.

Modification History 
RevisionDateDescription
1.0
January 05, 2018

Initial Publication

2.0
January 06, 2018

Removed template text unrelated to this advisory.

3.0
February 08, 2018

Updated Summary, Affected Releases, Workarounds and Mitigations, Vulnerability Details, Related Links

4.0
March 09, 2018

Added ACOS 4.1.4 release information

5.0
April 04, 2018

Updated ACOS 4.1.0 release information