Last revised: 01/11/2018
Palo Alto Networks is aware of recent vulnerability disclosures, known as Meltdown and Spectre, that affect modern CPU architectures. At this time, our findings show that these vulnerabilities pose no increased risk to Palo Alto Networks PAN-OS devices. (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). This security advisory will be updated as more information becomes available or if there are changes in the impact of these vulnerabilities.
PAN-OS/Panorama platforms are not directly impacted by these vulnerabilities, as successful exploitation on PAN-OS devices requires an attacker to have already compromised the PAN-OS operating system. We treat any vulnerability that compromises PAN-OS to allow the execution of code as a critical vulnerability. Any such vulnerability would be urgently patched and made available in a PAN-OS maintenance update for all supported versions of PAN-OS. Because of the low risk of the vulnerability and the relatively high risk of known patch options, the risk and impact must be carefully considered and thoroughly understood. We will continue to monitor the situation as it evolves, and to evaluate patching options available from our partner vendors as they become available. We will update this bulletin with updates regarding software patches or other mitigations as they become available. For more background, please see the following https://researchcenter.paloaltonetworks.com/2018/01/understanding-affected-not-vulnerable/.
No action is required at this time. This bulletin will be updated as more information becomes available. The security and stability of our products is a top priority. We will continue to monitor the situation as it evolves, and to evaluate update options...
Customers looking to mitigate their exposure to Meltdown and Spectre on their endpoints are encouraged to consult with their equipment manufacturers and operating system vendors on steps to patch or mitigate exposure. IPS coverage for known attacks has been added to content updates, beginning with version 763 and later; however, we strongly advise customers to patch endpoints at high risk of exploitation. The Traps agent does not detect/prevent this specific type of CPU-level side-channel attack.