VN 2018-001 (CVE-2017-5715, CVE-2017-5753, CVE-2018-3639, CVE-2018-3640 - Spectre)
- Article Type:
- Vulnerability Notice
- Article Number:
- Last Modified:
"Spectre" is an attack that utilizes the speculative execution mechanism in modern processors to create a side-channel attack using the processor cache. Local execution of a crafted program is required to conduct the exploit.
The Spectre exploit has been demonstrated to communicate arbitrary kernel space memory contents to an unprivileged user process. However, the Spectre exploit may be utilized to create arbitrary illegal information flows between two cooperating subjects running crafted code.
Extreme products utilize a number of different processor architectures, some of which contain the Spectre vulnerability. Currently demonstrated Spectre exploits require execution of crafted code installed on the target device. Extreme products that do not provide a mechanism to execute third-party code are not exposed to Spectre exploits provided other unauthorized means are not employed to gain privileged access to the system to install code.
While it is theoretically possible to conduct an attack strictly via network access, the challenges that must be overcome to identify the required code patterns and induce the required behavior to conduct an impactful exploit in a production environment are sufficiently high that the network-based exploit is not considered practicable at this time.
Extreme products deployed in virtual environments may be exposed to Spectre if the hosting environment is vulnerable.
Extreme continues to monitor and evaluate upstream vendor processor microcode and software updates. Patches or other mitigations may be deployed in future software updates.
As new variants of the Spectre attacks become available, they will generally be added to this Vulnerability Notice under the assumption that the general exploitation model remains the same. That is, successful exploitation requires local execution of crafted code supplied by an attacker. New VNs will be created if new variants are announced that significantly differ from this exploitation model.
Products Potentially Affected
(1)Extreme is evaluating the stability and performance impacts of possible patches to the processor microcode and OS kernel. A final remediation plan is pending completion of testing. Due to the nature and scope of changes required to implement available patches, there are currently no plans to backport Spectre/Meltdown remediations to currently shipping releases. Customers are advised to implement the suggested mitigations to control import and execution of user scripts.
(2)Extreme is evaluating the stability and performance impacts of possible patches to the processor microcode. Extreme is also exploring methods for disabling user script execution. A final remediation plan is pending completion of testing.
Currently demonstrated Spectre exploits require execution of crafted code installed on the target device. While the circumstances for using the capability are rare, ExtremeSwitching and Data Center platforms support the import and execution of user scripts via local access only.
Exposure to impactful Spectre exploits may be reduced to a negligible level by strictly controlling imported scripts or altogether disabling the ability to execute imported scripts.
Mitigations customers may implement immediately focus on control of imported scripts:
Extreme is exploring methods for disabling user script execution for SLX platforms.
Customers of Extreme products that provide a mechanism to execute third-party code are urged to exercise care in evaluating and authenticating any applications deployed on the Extreme platform.
Customers that deploy Extreme products in virtual environments are reminded to harden their virtual environment and install all security updates.
Customers are reminded to observe all security best practices in configuration of their systems to reduce exposure to unauthorized access.
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.