PAN-SA-2018-0001 Information about Meltdown and Spectre findings
Description
Palo Alto Networks is aware of recent vulnerability disclosures, known as Meltdown and Spectre, that affect modern CPU architectures. At this time, our findings show that these vulnerabilities pose no increased risk to Palo Alto Networks PAN-OS devices. (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). This security advisory will be updated as more information becomes available or if there are changes in the impact of these vulnerabilities.
PAN-OS/Panorama platforms are not directly impacted by these vulnerabilities, as successful exploitation on PAN-OS devices requires an attacker to have already compromised the PAN-OS operating system. We treat any vulnerability that compromises PAN-OS to allow the execution of code as a critical vulnerability. Any such vulnerability would be urgently patched and made available in a PAN-OS maintenance update for all supported versions of PAN-OS.
Because of the low risk of the vulnerability and the relatively high risk of known patch options, the risk and impact must be carefully considered and thoroughly understood. We will continue to monitor the situation as it evolves, and to evaluate patching options available from our partner vendors as they become available. We will update this bulletin with updates regarding software patches or other mitigations as they become available.
For more background, please see the following https://researchcenter.paloaltonetworks.com/2018/01/understanding-affected-not-vulnerable/.
CVE | Summary |
---|---|
CVE-2017-5715 | Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. |
CVE-2017-5753 | Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. |
CVE-2017-5754 | Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. |
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS | None | All |
Severity: NONE
CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N)
Weakness Type
Solution
No action is required at this time. This bulletin will be updated as more information becomes available. The security and stability of our products is a top priority. We will continue to monitor the situation as it evolves, and to evaluate update options...
Workarounds and Mitigations
Customers looking to mitigate their exposure to Meltdown and Spectre on their endpoints are encouraged to consult with their equipment manufacturers and operating system vendors on steps to patch or mitigate exposure. IPS coverage for known attacks has been added to content updates, beginning with version 763 and later; however, we strongly advise customers to patch endpoints at high risk of exploitation. The Traps agent does not detect/prevent this specific type of CPU-level side-channel attack.