Virtual Machine Manager L1 Terminal Fault vulnerability CVE-2018-3646

Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. (CVE-2018-3646 also known as Foreshadow-NG)

Impact

BIG-IP

CVE-2018-3646 requires an attacker who is capable of providing and running binary code of their choosing on the BIG-IP platform. This raises a high bar for attackers attempting to target BIG-IP systems over a network and would require an additional, unpatched, user-space remote code execution vulnerability to exploit these new issues.

The only administrative roles on a BIG-IP system allowed to execute binary code or exploitable analogs, such as JavaScript, are the Administrator, Resource Administrator, Manager, and iRules Manager roles. The Administrator and Resource Administrator users already have nearly complete access to the system and all secrets on the system that are not protected by hardware based encryption. The Manager and iRules Manager roles do have more restricted access to the system, but have the ability to install new iRulesLX code. A malicious authorized Manager or iRules Manager can install malicious binary code to exploit these information leaks and gain more privileged access. F5 recommends limiting access to these roles to trusted employees.

F5 believes that BIG-IP virtual editions running as a guest on public or private cloud infrastructure are no more vulnerable than any other Linux based guest. The host hypervisor must be patched to mitigate these issues for the host and between guests.

F5 believes that the highest impact realistic attack for CVE-2018-3646 may occur in multi-tenancy vCMP configurations:

CVE-2018-3646 may allow an attacker in one administrative domain to collect privileged information from the host or guests owned by another administrative domain. Exploiting these attacks would be significantly more difficult to utilize on BIG-IP than a standard Linux based system due to BIG-IP memory and process scheduling architecture. CVE-2018-3646 might allow an attacker in one administrative domain to collect privileged information from the host or guests owned by another administrative domain as long as the attacker's guest is configured as a single-core guest. BIG-IP always maps both hyper-threads of a given core to any guest with the "Cores Per Guest" configuration set to two or more, but single-core guests may execute on the same processor core as another single-core guest or host code. This threat may be mitigated by ensuring all guests are set to at least two "Cores Per Guest".

BIG-IQ

On a BIG-IQ system, an attacker needs shell access using the Advanced Shell (bash) or TMOS Shell (tmsh) to execute binary code. By default, only the root and admin users on a BIG-IQ system have shell access. Additionally, only users with the Administrator role can be granted shell access, and this step must be performed using the shell.

iWorkflow

On an iWorkflow system, an attacker needs shell access usingbash ortmsh to execute binary code. By default, only the root user on an iWorkflow system has shell access. Additionally, only users with the Administrator role can be granted shell access, and this step must be performed using the shell.

Enterprise Manager

On an Enterprise Manager system, an attacker needs shell access using bash or** tmsh** to execute binary code. By default, only the root user on an Enterprise Manager system has shell access. Additionally, only users with the Administrator role can be granted shell access.

Traffix SDC

An unprivileged attacker can use this vulnerability to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks.