4.7 - cisco-sa-20180104-cpusidechannel

On January 3, 2018 researchers disclosed three vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged local attacker, in specific circumstances, to read privileged memory belonging to other processes or memory allocated to the operating system kernel.

The first two vulnerabilities, CVE-2017-5753 and CVE-2017-5715, are collectively known as Spectre, the third vulnerability, CVE-2017-5754, is known as Meltdown. The vulnerabilities are all variants of the same attack and differ in the way the speculative execution is exploited.

In order to exploit any of these vulnerabilities, an attacker must be able to run crafted code on an affected device. The majority of Cisco products are closed systems, which do not allow customers to run custom code on the device. Although, the underlying CPU and OS combination in a product may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code on the device, and thus are not vulnerable. There is no vector to exploit them. Only Cisco devices that are found to allow the customer to execute their customized code side-by-side with the Cisco code on the same microprocessor are considered vulnerable.

A Cisco product that may be deployed as a virtual machine or a container, even while not being directly affected by any of these vulnerabilities, could be the targeted by such attacks if the hosting environment is vulnerable. Cisco recommends customers to harden their virtual environment and to ensure that all security updates are installed.

Cisco will release software updates that address this vulnerability.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel"]

BEGIN PGP SIGNATURE

iQKBBAEBAgBrBQJaTqntZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHkiWQ//fNM7O4oLR/eQ2+v1 dM9YRI6/qWcXOudehRxg+UKsRWaUb8T3R7R4c5F9A//ag2AHfo/VWR78dAln+2a5 /DdJ74/23EozKsuWpR+JlFuTO+Kq/EjBZeO9pT/lxWrbZaP62U5mWWMd8ds39of4 pPrqxWFS/iZ4fZ1mac+EJJEEGlz7blsJrRFTl/EhhSqwb+9YUdLfmxRkOnMYh1K2 Nq32t+aFvS2aZF7POLsmdaS9r1wEy5IYEF4Huxoui9hNbDEWH5zCt67jfOz5uC2G Jgf4lQhjnlTKOO/yLWPmAsmJYvaFYP92PDA7rrvrORsPvzpXmgE6hVwxUBVD2f7q +lAxPKg28/UweXVcda0nemhq+ZhbWUPxJeGMedeNu2qqdOsXmUsUDj/igGaYwM2B 5NZ3/f2i1lFyawjUoCMrEYr55TwAHQ8cwDekEpqjJrnN56TGoe2WNqoB9skK+aI5 BMNEyMVkpEA4ltgfjmzN8g+NGLJcdxYIwIL/eryMaGASyxrca7a9xjhf4ZZJSRVP wAv51kPxVZJ4Gn4UALuxx2l0oUBaRvY04wjqou3pEP8yM9bda90ZM1cWZG+nc/Mc rEjXWcqkXVnq0TytvELjt6xt42OtMXGY2IjznvM+TXTcYP7v5xhrfpkmTAfstJhM rAvdPK486AXV02kSYePfBrWyeag= =vDlh END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com