K29146534 : SSB Variant 4 vulnerability CVE-2018-3639

Security Advisory Description

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639)

Impact

All exposure is limited to the control plane, also known as the management plane. There is no exposure on BIG-IP products by way of the data plane. Additionally, on the control plane, the vulnerabilities are exploitable only by the following four authorized, authenticated account roles: Administrator, Resource Administrator, Manager, and iRules Manager. An attacker must be authorized to access the system in one of these roles to attempt to exploit the vulnerabilities.

This vulnerability requires an attacker who can provide and run binary code of their choosing on the BIG-IP platform. As a result, these conditions severely restrict the exposure risk of BIG-IP products.

Single-tenancy products

For single-tenancy products, such as a standalone BIG-IP device, the risk is limited to a local, authorized user employing one of the vulnerabilities to read information from memory that they would not normally access, exceeding their privileges. A user may be able to access kernel-space memory, instead of their own user-space.

Multi-tenancy environments

For multi-tenancy environments, such as cloud, Virtual Edition (VE), and Virtual Clustered Multiprocessing (vCMP), the same local kernel memory access risk applies as in single-tenancy environments. Additionally, there is a risk of attacks across guests, or attacks against the hypervisor or host. In cloud and VE environments, preventing these new attacks falls on the hypervisor or host platform, which is outside the scope of F5’s ability to support or patch. Contact your cloud provider or hypervisor vendor to ensure their platforms or products are protected against Spectre variants.

For vCMP environments, F5 believes that while the Spectre Variant attacks offer a theoretical possibility of guest-to-guest or guest-to-host attacks, these would be very difficult to successfully conduct in the BIG-IP environment. The primary risk in the vCMP environment with Spectre variants only exists when vCMP guests are configured to use a single core. If the vCMP guests are configured to use two or more cores, the Spectre Variant vulnerabilities are eliminated.

Vulnerability research

F5 is working with its hardware component vendors to determine the scope of vulnerabilities across its various generations of hardware platforms. All of the current information from F5’s vendors is represented in this security advisory. F5 is working to obtain the remaining information from its vendors and will update the security advisory as F5 receives new information regarding its hardware platforms.

F5 is also testing the fixes produced by the Linux community, and is conducting an extensive test campaign to characterize the impact of the fixes on system performance and stability to ensure a good experience for its customers. F5 does not want to rush the process and release fixes without a full understanding of potential issues. Given the limited exposure, the complexity of the fixes, and the potential issues, a detailed approach is warranted and rushing a fix could result in an impact to system stability or unacceptable performance costs. F5 will update this article with fixes as they become available.