SA161: Local Information Disclosure Due to Meltdown and Spectre Attacks

Content Analysis Software

0 more products

1426

27 April 2021

08 January 2018

CLOSED

Medium

CVSS v2: 4.7

SUMMARY

Symantec Network Protection products, which run on an affected CPU chipset and execute arbitrary code from external sources, are susceptible to several information disclosure vulnerabilities (aka Meltdown and Spectre attacks). A remote attacker, with the ability to execute arbitrary code locally on the target, can obtain sensitive information from the memory spaces of the same userspace application, other userspace applications, the operating system, or a VM hypervisor.

AFFECTED PRODUCTS

The following products are vulnerable.  All hardware platforms are affected unless specified otherwise:

Content Analysis (CA)
CVE Affected Version(s) Remediation
All CVEs 2.4 Not vulnerable, fixed in 2.4.1.1. Please update all Windows iVM profiles with the latest Windows patches.
2.1, 2.2, 2.3 Upgrade to later release with fixes.

 

Malware Analysis (MA)
CVE Affected Version(s) Remediation
All CVEs 4.2 Upgrade to a version of Content Analysis with fixes.

 

Security Analytics
CVE Affected Version(s) Remediation
All CVEs 8.0 Not vulnerable, fixed in 8.0.1.
7.3 Upgrade to 7.3.3.
7.1, 7.2 Upgrade to later release with fixes.

  

X-Series XOS
CVE Affected Version(s) Remediation
All CVEs 11.0 Not available at this time
10.0 Upgrade to later release with fixes.
9.7 Upgrade to later release with fixes.

 

ADDITIONAL PRODUCT INFORMATION 

Content Analysis (CA) is only vulnerable when configured with on-box sandboxing. Only the Windows iVM profiles are vulnerable. Starting with CA 2.4, updating all Windows iVM profiles to include the Spectre/Meltdown patches remediates these vulnerabilities.

Security Analytics is only vulnerable when an administrator user executes malicious code on the appliance.

X-Series XOS is only vulnerable when an administrator user accesses the XOS diagnostics functionality and executes malicious code on the appliance.  The NPM-8620 (standalone and in X20 chassis), NPM-8650, and NPM-9600 platforms are not affected.

The following products use affected CPU chipsets, but do not allow administrators to execute arbitrary code and are not vulnerable to known vectors of attack:
Advanced Secure Gateway
CacheFlow
(CF5000-CX and CF5000-MX platforms are not affected by Meltdown)
Content Analysis 1.3
Director
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter S-Series
ProxyAV
ProxySG
(SG300, SG600, and SG9000 platforms are not affected by Meltdown)
Reporter 10.1
SSL Visibility

The following products run as userspace applications on customer-provided hardware platforms and operating systems. The vulnerabilities addressed in this security advisory are not present in our applications, but these applications can be targeted by an attacker if the underlying hardware platforms and operating systems are vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PolicyCenter
ProxyClient
ProxyAV ConLog and ConLogXP
Reporter 9.5
Unified Agent

The following products are not vulnerable:

Web Isolation

ISSUES 

CVE-2017-5715 (Spectre variant 2)
Severity / CVSSv2 Medium / 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)
References SecurityFocus: BID 102376 / NVD: CVE-2017-5715
Impact Information disclosure
Description Spectre variant 2 exploits an information disclosure vulnerability in CPU chipsets that support speculative execution through branch prediction.  A malicious userspace application can obtain unauthorized access to sensitive data from the memory space of the same or a different userspace application by accessing data left uncleared in the CPU cache after speculatively executed CPU instructions loaded due to a mispredicted branch target.  The attack may also allow malicious code running as a guest in a virtual machine to obtain unauthorized access to sensitive data from the VM hypervisor memory.

 

CVE-2017-5753 (Spectre variant 1)
Severity / CVSSv2 Medium / 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)
References SecurityFocus: BID 102371 / NVD: CVE-2017-5753
Impact Information disclosure
Description Spectre variant 1 exploits an information disclosure vulnerability in CPU chipsets that support speculative execution through branch prediction.  A malicious userspace application can obtain unauthorized access to sensitive data from the memory space of the same or a different userspace application by accessing data left uncleared in the CPU cache after speculatively executed CPU instructions loaded due to an incorrect brant prediction.

 

CVE-2017-5754 (Meltdown)
Severity / CVSSv2 Medium / 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)
References SecurityFocus: BID 102378 / NVD: CVE-2017-5754
Impact Information disclosure
Description The Meltdown attack exploits an information disclosure vulnerability in CPU chipsets that support out-of-order execution.  It allows a malicious userspace application to access sensitive information from the kernel memory spaces or from the memory spaces of another userspace application.  If a userspace application attempts to access a memory location reserved for the operating system, the system triggers an exception.  A CPU chipset supporting out-of-order execution may fetch sensitive data and store it in the CPU cache before detecting the exception. The data remains uncleared in the CPU cache, where a malicious userspace application can access it via side-channel analysis.

 

REFERENCES

Meltdown and Spectre - https://meltdownattack.com/
CERT Vulnerability Note VU#584653 - https://www.kb.cert.org/vuls/id/584653

REVISION

2020-04-30 Advisory status changed to Closed.
2020-01-19 A fix will not be provided for Malware Analysis.  Please upgrade to a version of Content Analysis with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-08-17 CA 2.4 is not vulnerable because a fix is available in CA 2.4.  Customers need to update all Windows iVM profiles with the latest Windows patches.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.3.  Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2018-04-25 A fix for XOS 9.7 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is vulnerable.
2018-04-01 All hardware platforms are affected unless specified otherwise in the Affected Products section.
2018-01-09 PolicyCenter (non S-Series) and Reporter 9.5 run as userspace applications on customer-provided hardware platforms and operating systems. The vulnerabilities addressed in this security advisory are not present in these applications, but they can be targeted by an attacker if the underlying hardware platforms and operating systems are vulnerable.
2018-01-08 initial public release