K21344224 : Lazy FP state restore vulnerability CVE-2018-3665

Security Advisory Description

System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (CVE-2018-3665)

A Floating-Point (FP) state information leakage flaw was found in the way the Linux kernel saves and restores the FP state during task switch. Linux kernels that follow the “Lazy FP Restore” scheme are vulnerable to the FP state information leakage issue. An unprivileged, local attacker can use this flaw to read FP state bits by conducting targeted cache side-channel attacks, similar to the Meltdown vulnerability disclosed earlier this year.

Impact

This vulnerability requires an attacker to induce speculative execution of code to acquire privileged information, then leak that information via a micro-architectural side-channel. Intel Core processors are affected. AMD processors are not affected.

F5 is investigating the impact of this vulnerability on our products. F5 is focused on providing patched releases as soon as we have fully tested and verified fixes. F5 will update this article with the most current information as soon as it is confirmed.

BIG-IP

This vulnerability requires an attacker who can provide and run binary code of their choosing on the BIG-IP platform. This raises a high bar for attackers attempting to target BIG-IP systems over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues.

The only administrative roles on a BIG-IP system that can execute binary code or exploitable analogs, such as JavaScript, are the Administrator, Resource Administrator, Manager, and iRules Manager roles. The Administrator and Resource Administrator roles already have nearly complete access to the system and all secrets on the system that are not protected by hardware-based encryption. The Manager and iRules Manager roles have access restrictions, but they can install new iRulesLX code. A malicious authorized Manager or iRules Manager can install malicious binary code to exploit these information leaks and gain more privileged access. F5 recommends limiting these roles to trusted employees.

To determine the processor type used by each platform and if the platform is affected by this vulnerability, refer to the following table.

Note: In the following table, only one entry is shown for platform models that may have several variants. For example, BIG-IP 11000, BIG-IP 11050, BIG-IP 11050F, and BIG-IP 11050N are all included in the table as “BIG-IP 110x0”. Some platforms may have multiple vendor processors, such as the iSeries platforms, which have one or more Intel Core processors and may have a vulnerable ARM processor in one or more subsystems. F5 does not believe that ARM processors in these subsystems are accessible to attackers, unless some other code-execution vulnerability is present, but the information is being provided out of an abundance of caution.

Model	Processor type	Vulnerable to CVE-2018-3665 Lazy FP state restore
VIPRION B21x0	Intel	N*
VIPRION B2250	Intel	N*
VIPRION B4100	AMD	N
VIPRION B4200	AMD	N
VIPRION B43x0	Intel	N*
VIPRION B44x0	Intel	N*
BIG-IP 2xx0	Intel	Y
BIG-IP 4xx0	Intel	N*
BIG-IP 5xx0	Intel	N*
BIG-IP 7xx0	Intel	N*
BIG-IP 10xx0	Intel	N*
BIG-IP 110x0	AMD	N
BIG-IP 12xx0	Intel	N*
BIG-IP i2x00	Intel, ARM	N*
BIG-IP i4x00	Intel, ARM	N*
BIG-IP i5x00	Intel, ARM	N*
BIG-IP i7x00	Intel, ARM	N*
BIG-IP i10x00	Intel, ARM	N*
BIG-IP 800	Intel	Y
BIG-IP 1600	Intel	Y
BIG-IP 3600	Intel	Y
BIG-IP 3900	Intel	N*
BIG-IP 6400	AMD	N
BIG-IP 6900	AMD	N
BIG-IP 89x0	AMD	N

*Intel Xeon based processors are not vulnerable to this issue.

Note: Platform models that have reached End of Technical Support (EoTS) will not be evaluated. For more information, refer to K4309: F5 platform lifecycle support policy.

BIG-IQ and Enterprise Manager

To determine the processor type used by each platform and if the platform is affected by this vulnerability, refer to the following table.

Model	Processor type	Vulnerable to CVE-2018-3665 Lazy FP state restore
BIG-IQ 7000	Intel	Y
Enterprise Manager 4000	Intel	Y

Note: Platform models that have reached EoTS will not be evaluated. For more information, refer to K4309: F5 platform lifecycle support policy.

ARX

To determine the processor type used by each platform and if the platform is affected by this vulnerability, refer to the following table.

Model	Processor type	Vulnerable to CVE-2018-3665 Lazy FP state restore
ARX 1500+	Intel	Y*
ARX 2500	Intel	Y*
ARX 4000/4000+	Intel	Y*

*The specified platforms contain the affected processor. However, F5 identifies the ARX software vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.

Note: Platform models that have reached EoTS will not be evaluated. For more information, refer to K4309: F5 platform lifecycle support policy.

Traffix SDC

Systems with microprocessors that use speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access by way of a side-channel analysis.

LineRate

Systems with microprocessors that use speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access by way of a side-channel analysis.

For products with None in theVersions known to be vulnerable column in the following table, there is no impact.