Executive Summary

Summary
Title CPU Side-Channel Information Disclosure Vulnerabilities: May 2018
Informations
Name cisco-sa-20180521-cpusidechannel First vendor Publication 2018-05-21
Vendor Cisco Last vendor Modification 2018-05-22
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:N/A:N)
Cvss Base Score 4.9 Attack Range Local
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

On May 21, 2018, researchers disclosed two vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged, local attacker, in specific circumstances, to read privileged memory belonging to other processes.

The first vulnerability, CVE-2018-3639, is known as Spectre Variant 4 or SpectreNG. The second vulnerability, CVE-2018-3640, is known as Spectre Variant 3a. Both of these attacks are variants of the attacks disclosed in January 2018 and leverage cache-timing attacks to infer any disclosed data.

To exploit either of these vulnerabilities, an attacker must be able to run crafted or script code on an affected device. Although the underlying CPU and operating system combination in a product or service may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code and are, therefore, not vulnerable. There is no vector to exploit them. Cisco products are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor.

A Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as operating system or hypervisor, is patched against the vulnerabilities in question.

Although Cisco cloud services are not directly affected by these vulnerabilities, the infrastructure on which they run may be impacted. Refer to the “Affected Products†section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services.

Cisco will release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel"]

BEGIN PGP SIGNATURE

iQJ5BAEBAgBjBQJbA3IBXBxDaXNjbyBQcm9kdWN0IFNlY3VyaXR5IEluY2lkZW50 IFJlc3BvbnNlIFRlYW0gKENpc2NvIFBTSVJUIGtleSAyMDE4LTIwMTkpIDxwc2ly dEBjaXNjby5jb20+AAoJEJa12PPJBfczf2UP/A8LA5LCbLGqyCaRr2EoVkHJN3RV HaxZ3PDyElMKu+cwRnXoWyUqVBNOoeDFIiBXrtvD5n14ORX2O01TbDex1CBn1QWI rW34aqz/pUm1wor6I+j8aLwl7vgRIZ++hBA1LXMQ5IEvF2QSESseF2gHEkXgVzqq WVv1UWfG50ENydtoGu4oo1b1U2pFHL3RRM/wLGoBIyXVB3bIeKQXjM6mWWtP/q3X sdjA4l0dQilwhd1JWZrsEdkK37EmgMoalJsBLY95h666QOLZk25v9ooQo0BSrUvW G2JV1BO/5yYhcMINhsr3gUm6GG1t2P/ACwGVrl0YjICm4Q+Wc+zfqcn3GsIV9Lh4 bH/YGILYbUjCg/UdOLtYmzb36mvNW2ckvtRbY6pJkgTPj+3giHmCfA8GCKmGGClH l1fWAon/X+3FpONrt/+9TpBlfXQSkT4hUSUvvgnK39n5t5oC7SuiMEDKJ5300prc 6mT6hRj3d0Wsxwm4IL4OekoDnl2Qw8krUEFYDMRH23/wutd6C2DFYhA6GUb2zSRx kHAd05EEm/X0+nEM0BLokqetftA0sDPVz92b4AyNOiBtQsQd5913wrvDgPIEWdl4 9RGPWk+wrzmEepkBail4N5Wxv9WAKsvAQfDzHc+X7Aoea3/1nKbpIu7REP/E9KB7 IkRe79czjq1I1Mwl =Y3Bn END PGP SIGNATURE _______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com

Original Source

Url : http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco (...)

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-203 Information Exposure Through Discrepancy

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 3
Application 1
Application 3
Application 1
Application 6
Application 2
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Hardware 3
Hardware 16
Hardware 6
Hardware 1
Hardware 1
Hardware 1
Hardware 30
Hardware 3
Hardware 1
Hardware 2
Hardware 2
Hardware 2
Hardware 2
Hardware 3
Hardware 1
Hardware 2
Hardware 1
Hardware 47
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 82
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 1
Hardware 62
Hardware 33
Hardware 15
Hardware 8
Hardware 1
Hardware 2
Hardware 3
Hardware 1
Hardware 1
Os 5
Os 2
Os 6
Os 1
Os 1
Os 2
Os 2
Os 3
Os 1
Os 2
Os 6
Os 2
Os 8
Os 6
Os 2

Nessus® Vulnerability Scanner

Date Description
2019-01-10 Name : The remote device is affected by multiple vulnerabilities.
File : juniper_space_jsa10917_183R1.nasl - Type : ACT_GATHER_INFO
2019-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2018-db0d3e157e.nasl - Type : ACT_GATHER_INFO
2019-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2018-5521156807.nasl - Type : ACT_GATHER_INFO
2019-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2018-527698a904.nasl - Type : ACT_GATHER_INFO
2019-01-03 Name : The remote Fedora host is missing a security update.
File : fedora_2018-44f8a7454d.nasl - Type : ACT_GATHER_INFO
2018-10-31 Name : The remote host is missing a macOS security update that fixes multiple vulner...
File : macosx_SecUpd_10_13_6_2018-002.nasl - Type : ACT_GATHER_INFO
2018-10-31 Name : The remote host is missing a macOS or Mac OS X security update that fixes mul...
File : macosx_SecUpd2018-005.nasl - Type : ACT_GATHER_INFO
2018-10-31 Name : The remote host is missing a macOS update that fixes multiple security vulner...
File : macos_10_14_1.nasl - Type : ACT_GATHER_INFO
2018-10-18 Name : The remote host is missing a macOS update that fixes multiple security vulner...
File : macos_10_14.nasl - Type : ACT_GATHER_INFO
2018-09-18 Name : The remote EulerOS Virtualization host is missing a security update.
File : EulerOS_SA-2018-1271.nasl - Type : ACT_GATHER_INFO
2018-09-18 Name : The remote EulerOS Virtualization host is missing multiple security updates.
File : EulerOS_SA-2018-1270.nasl - Type : ACT_GATHER_INFO
2018-09-18 Name : The remote EulerOS Virtualization host is missing a security update.
File : EulerOS_SA-2018-1267.nasl - Type : ACT_GATHER_INFO
2018-09-18 Name : The remote EulerOS Virtualization host is missing multiple security updates.
File : EulerOS_SA-2018-1265.nasl - Type : ACT_GATHER_INFO
2018-09-17 Name : The remote Debian host is missing a security update.
File : debian_DLA-1506.nasl - Type : ACT_GATHER_INFO
2018-08-17 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4273.nasl - Type : ACT_GATHER_INFO
2018-07-30 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2018-208-01.nasl - Type : ACT_GATHER_INFO
2018-07-27 Name : The remote Debian host is missing a security update.
File : debian_DLA-1446.nasl - Type : ACT_GATHER_INFO
2018-07-26 Name : The remote Amazon Linux 2 host is missing a security update.
File : al2_ALAS-2018-1049.nasl - Type : ACT_GATHER_INFO
2018-07-24 Name : The remote PhotonOS host is missing multiple security updates.
File : PhotonOS_PHSA-2018-2_0-0049.nasl - Type : ACT_GATHER_INFO
2018-07-24 Name : The remote PhotonOS host is missing multiple security updates.
File : PhotonOS_PHSA-2018-1_0-0151.nasl - Type : ACT_GATHER_INFO
2018-07-20 Name : The remote Debian host is missing a security update.
File : debian_DLA-1423.nasl - Type : ACT_GATHER_INFO
2018-07-18 Name : The remote Virtuozzo host is missing multiple security updates.
File : Virtuozzo_VZA-2018-048.nasl - Type : ACT_GATHER_INFO
2018-07-16 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-2164.nasl - Type : ACT_GATHER_INFO
2018-07-16 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-2162.nasl - Type : ACT_GATHER_INFO
2018-07-09 Name : The remote Fedora host is missing a security update.
File : fedora_2018-9f02e5ed7b.nasl - Type : ACT_GATHER_INFO
2018-07-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1997.nasl - Type : ACT_GATHER_INFO
2018-07-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1965.nasl - Type : ACT_GATHER_INFO
2018-07-05 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-2001.nasl - Type : ACT_GATHER_INFO
2018-07-03 Name : The remote EulerOS host is missing a security update.
File : EulerOS_SA-2018-1192.nasl - Type : ACT_GATHER_INFO
2018-07-03 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2018-1201.nasl - Type : ACT_GATHER_INFO
2018-07-03 Name : The remote EulerOS host is missing a security update.
File : EulerOS_SA-2018-1200.nasl - Type : ACT_GATHER_INFO
2018-07-03 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2018-1197.nasl - Type : ACT_GATHER_INFO
2018-07-03 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2018-1196.nasl - Type : ACT_GATHER_INFO
2018-07-03 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2018-1195.nasl - Type : ACT_GATHER_INFO
2018-07-03 Name : The remote EulerOS host is missing a security update.
File : EulerOS_SA-2018-1194.nasl - Type : ACT_GATHER_INFO
2018-07-03 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2018-1193.nasl - Type : ACT_GATHER_INFO
2018-06-22 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1854.nasl - Type : ACT_GATHER_INFO
2018-06-20 Name : The remote EulerOS host is missing a security update.
File : EulerOS_SA-2018-1153.nasl - Type : ACT_GATHER_INFO
2018-06-12 Name : The remote Amazon Linux 2 host is missing a security update.
File : al2_ALAS-2018-1038.nasl - Type : ACT_GATHER_INFO
2018-06-12 Name : The remote Amazon Linux 2 host is missing a security update.
File : al2_ALAS-2018-1033.nasl - Type : ACT_GATHER_INFO
2018-06-12 Name : The remote Amazon Linux 2 host is missing a security update.
File : al2_ALAS-2018-1034.nasl - Type : ACT_GATHER_INFO
2018-06-12 Name : The remote Amazon Linux 2 host is missing a security update.
File : al2_ALAS-2018-1037.nasl - Type : ACT_GATHER_INFO
2018-06-12 Name : The remote Amazon Linux 2 host is missing a security update.
File : al2_ALAS-2018-1039.nasl - Type : ACT_GATHER_INFO
2018-06-12 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2018-1034.nasl - Type : ACT_GATHER_INFO
2018-06-12 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2018-1037.nasl - Type : ACT_GATHER_INFO
2018-06-12 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2018-1038.nasl - Type : ACT_GATHER_INFO
2018-06-12 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2018-1039.nasl - Type : ACT_GATHER_INFO
2018-06-08 Name : The remote Fedora host is missing a security update.
File : fedora_2018-aec846c0ef.nasl - Type : ACT_GATHER_INFO
2018-05-31 Name : A server virtualization platform installed on the remote host is affected by ...
File : citrix_xenserver_CTX235225.nasl - Type : ACT_GATHER_INFO
2018-05-31 Name : The remote Virtuozzo host is missing multiple security updates.
File : Virtuozzo_VZA-2018-037.nasl - Type : ACT_GATHER_INFO
2018-05-30 Name : The remote Fedora host is missing a security update.
File : fedora_2018-6367a17aa3.nasl - Type : ACT_GATHER_INFO
2018-05-30 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1669.nasl - Type : ACT_GATHER_INFO
2018-05-29 Name : The remote Virtuozzo host is missing multiple security updates.
File : Virtuozzo_VZA-2018-034.nasl - Type : ACT_GATHER_INFO
2018-05-29 Name : The remote Fedora host is missing a security update.
File : fedora_2018-93c2e74446.nasl - Type : ACT_GATHER_INFO
2018-05-25 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4210.nasl - Type : ACT_GATHER_INFO
2018-05-25 Name : The remote Virtuozzo host is missing a security update.
File : Virtuozzo_VZA-2018-033.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1647.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote AIX host is missing a security patch.
File : aix_IJ05820.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote AIX host is missing a security patch.
File : aix_IJ05821.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote AIX host is missing a security patch.
File : aix_IJ05822.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote AIX host is missing a security patch.
File : aix_IJ05823.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote AIX host is missing a security patch.
File : aix_IJ05824.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote AIX host is missing a security patch.
File : aix_IJ05826.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1629.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1632.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1633.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1648.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1649.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1650.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1651.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2018-1660.nasl - Type : ACT_GATHER_INFO
2018-05-23 Name : The remote AIX host is missing a security patch.
File : aix_IJ05818.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2018-06-30 00:20:33
  • Multiple Updates
2018-05-22 17:21:21
  • Multiple Updates
2018-05-22 17:18:47
  • First insertion