SA161: Local Information Disclosure Due to Meltdown and Spectre Attacks

SUMMARY

Symantec Network Protection products, which run on an affected CPU chipset and execute arbitrary code from external sources, are susceptible to several information disclosure vulnerabilities (aka Meltdown and Spectre attacks). A remote attacker, with the ability to execute arbitrary code locally on the target, can obtain sensitive information from the memory spaces of the same userspace application, other userspace applications, the operating system, or a VM hypervisor.

AFFECTED PRODUCTS

The following products are vulnerable. All hardware platforms are affected unless specified otherwise:

Content Analysis (CA)

CVE |Affected Version(s)|Remediation
All CVEs | 2.4 | Not vulnerable, fixed in 2.4.1.1. Please update all Windows iVM profiles with the latest Windows patches.
2.1, 2.2, 2.3 | Upgrade to later release with fixes.

Malware Analysis (MA)

CVE |Affected Version(s)|Remediation
All CVEs | 4.2 | Upgrade to a version of Content Analysis with fixes.

Security Analytics

CVE |Affected Version(s)|Remediation
All CVEs | 8.0 | Not vulnerable, fixed in 8.0.1.
7.3 | Upgrade to 7.3.3.
7.1, 7.2 | Upgrade to later release with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
All CVEs | 11.0 | Not available at this time
10.0 | Upgrade to later release with fixes.
9.7 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Content Analysis (CA) is only vulnerable when configured with on-box sandboxing. Only the Windows iVM profiles are vulnerable. Starting with CA 2.4, updating all Windows iVM profiles to include the Spectre/Meltdown patches remediates these vulnerabilities.

Security Analytics is only vulnerable when an administrator user executes malicious code on the appliance.

X-Series XOS is only vulnerable when an administrator user accesses the XOS diagnostics functionality and executes malicious code on the appliance. The NPM-8620 (standalone and in X20 chassis), NPM-8650, and NPM-9600 platforms are not affected.

The following products use affected CPU chipsets, but do not allow administrators to execute arbitrary code and are not vulnerable to known vectors of attack:
**Advanced Secure Gateway
CacheFlow **(CF5000-CX and CF5000-MX platforms are not affected by Meltdown) **Content Analysis 1.3
Director
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter S-Series
ProxyAV
ProxySG **(SG300, SG600, and SG9000 platforms are not affected by Meltdown) Reporter 10.1
SSL Visibility

The following products run as userspace applications on customer-provided hardware platforms and operating systems. The vulnerabilities addressed in this security advisory are not present in our applications, but these applications can be targeted by an attacker if the underlying hardware platforms and operating systems are vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PolicyCenter
ProxyClient
ProxyAV ConLog and ConLogXP
Reporter 9.5
Unified Agent

The following products are not vulnerable:

**Web Isolation

**

ISSUES

CVE-2017-5715 (Spectre variant 2)

Severity / CVSSv2 | Medium / 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N) References| SecurityFocus: BID 102376 / NVD: CVE-2017-5715 Impact| Information disclosure Description | Spectre variant 2 exploits an information disclosure vulnerability in CPU chipsets that support speculative execution through branch prediction. A malicious userspace application can obtain unauthorized access to sensitive data from the memory space of the same or a different userspace application by accessing data left uncleared in the CPU cache after speculatively executed CPU instructions loaded due to a mispredicted branch target. The attack may also allow malicious code running as a guest in a virtual machine to obtain unauthorized access to sensitive data from the VM hypervisor memory.

CVE-2017-5753 (Spectre variant 1)

Severity / CVSSv2 | Medium / 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N) References| SecurityFocus: BID 102371 / NVD: CVE-2017-5753 Impact| Information disclosure Description | Spectre variant 1 exploits an information disclosure vulnerability in CPU chipsets that support speculative execution through branch prediction. A malicious userspace application can obtain unauthorized access to sensitive data from the memory space of the same or a different userspace application by accessing data left uncleared in the CPU cache after speculatively executed CPU instructions loaded due to an incorrect brant prediction.

CVE-2017-5754 (Meltdown)

Severity / CVSSv2 | Medium / 4.7 (AV:L/AC:M/Au:N/C:C/I:N/A:N) References| SecurityFocus: BID 102378 / NVD: CVE-2017-5754 Impact| Information disclosure Description | The Meltdown attack exploits an information disclosure vulnerability in CPU chipsets that support out-of-order execution. It allows a malicious userspace application to access sensitive information from the kernel memory spaces or from the memory spaces of another userspace application. If a userspace application attempts to access a memory location reserved for the operating system, the system triggers an exception. A CPU chipset supporting out-of-order execution may fetch sensitive data and store it in the CPU cache before detecting the exception. The data remains uncleared in the CPU cache, where a malicious userspace application can access it via side-channel analysis.

REFERENCES

Meltdown and Spectre - <https://meltdownattack.com/&gt;
CERT Vulnerability Note VU#584653 - <https://www.kb.cert.org/vuls/id/584653&gt;

REVISION

2020-04-30 Advisory status changed to Closed.
2020-01-19 A fix will not be provided for Malware Analysis. Please upgrade to a version of Content Analysis with the vulnerability fixes.
2019-10-02 Web Isolation is not vulnerable.
2019-08-17 CA 2.4 is not vulnerable because a fix is available in CA 2.4. Customers need to update all Windows iVM profiles with the latest Windows patches.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.3. Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is vulnerable.
2018-04-01 All hardware platforms are affected unless specified otherwise in the Affected Products section.
2018-01-09 PolicyCenter (non S-Series) and Reporter 9.5 run as userspace applications on customer-provided hardware platforms and operating systems. The vulnerabilities addressed in this security advisory are not present in these applications, but they can be targeted by an attacker if the underlying hardware platforms and operating systems are vulnerable.
2018-01-08 initial public release