Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0543 McAfee lists products affected by Spectre/Meltdown 23 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: McAfee products Publisher: McAfee Operating System: Network Appliance Virtualisation UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 Reference: ESB-2018.0042.2 Original Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10226 - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------------- McAfee Security Bulletin - Updates for microprocessors side channel analysis vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 (Meltdown/ Spectre) Security Bulletins ID: SB10226 Last Modified: 2/21/2018 - ------------------------------------------------------------------------------- Summary First Published: February 16, 2018 Data Leakage via Privilege Escalation Impact of Vulnerability: (CWE-269) Privilege Escalation (CWE-274) CVE Information CVE Numbers: Severity Rating CVSS v3 Base Score CVE-2017-5715 Medium 5.6 CVE-2017-5753 Medium 5.6 CVE-2017-5754 Medium 5.6 Highest CVSS v3 Base Score: 5.6 Recommendations: Deploy product updates as they are made available. Security Bulletin None Replacement: Affected Software: See the Product Vulnerability Status lists below Location of Updated http://www.mcafee.com/us/downloads/ Software: downloads.aspx {GENSUB.EN_US} Article contents: * Vulnerability Description * Product Vulnerability Status * Remediation * Product Specific Notes * Mitigations * Acknowledgements * Frequently Asked Questions (FAQs) * Resources * Disclaimer Description A set of three vulnerabilities disclosed by Intel on January 3, 2018, named Meltdown and Spectre, impact McAfee appliance products. Spectre includes CVE-2017-5715 and CVE-2017-5753, and Meltdown includes CVE-2017-5754. McAfee Blog Posts: * Decyphering the Noise Around 'Meltdown' and 'Spectre' * Meltdown and Spectre 101: What to Know About the New Exploits Knowledge Base Articles: * KB90167 - Meltdown and Spectre ? McAfee Product Compatibility Update (Corporate Products) * TS102769 - Microsoft Security Update January 2018 (Meltdown and Spectre) and McAfee consumer products CVE-2017-5715 Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5715 CVE-2017-5753 Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5753 CVE-2017-5754 Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5754 Product Vulnerability Status McAfee produces several security appliances that ship with an operating system such as Linux or Windows and use Intel, AMD, or other modern processors. Meltdown impacts only Intel processors. Spectre impacts Intel, AMD, ARM, and other processors. For information regarding McAfee product patch compatibility, see KB90167. Patches addressing CVE-2017-5753 and CVE-2017-5754 are available for certain McAfee products as shown in the Remediation table below. Patches for CVE-2017-5715 depend on updates to Intel microcode that are not yet available. McAfee will update the status for these patches once the microcode is available. The investigation into all McAfee products is ongoing. This security bulletin will be updated as additional information is available. Not every version of the vulnerable and updated products is vulnerable. See the Product Specific Notes section below for details. Products not listed or on the "No Vulnerabilities Reported" list are being investigated. No Vulnerabilities Reported 1. Data Loss Prevention Endpoint (DLP Endpoint) / Host Data Loss Prevention (HDLP) 2. Endpoint Security (ENS) 3. ePO Cloud / ToPS Server (TPS) 4. ePolicy Orchestrator (ePO) 5. Host Intrusion Prevention Services (Host IPS) 6. McAfee Agent (MA) 7. VirusScan Enterprise (VSE) 8. VirusScan Enterprise for Storage (VSES) 9. Other McAfee products that do not ship with an operating system For a description of each product, see: http://www.mcafee.com/us/apps/ products-az.aspx. Remediation Go to the Product Downloads site and download the applicable product patch/ hotfix files: +-----------------------------------------------------------------------------+ | | | Patch Available | |------------+----------------+-----------------------------------------------| | Category | Product and | CVE-2017-5715 | CVE-2017-5753 | CVE-2017-5754 | | | Versions | (Spectre) | (Spectre) | (Meltdown) | |------------+----------------+---------------+---------------+---------------| | | Data Exchange | | | | | | Layer (DXL) | No | Yes | Yes | | | 2.2, 3.x, 4.0 | | | | | |----------------+---------------+---------------+---------------| | | GTI Proxy | OS patch* | OS patch* | OS patch* | | | Appliance | | | | | |----------------+---------------+---------------+---------------| | | McAfee Active | | | | | | Response (MAR) | No | No | Yes | | | 2.2.0 | | | | | |----------------+---------------+---------------+---------------| | | McAfee | | | | | | Vulnerability | OS patch* | OS patch* | OS patch* | | | Manager (MVM) | | | | | |----------------+---------------+---------------+---------------| | | Network Data | | | | | | Loss | | | | | | Prevention | No | Yes | Yes | | | (Network DLP) | | | | | | 10.x, 11.x | | | | | |----------------+---------------+---------------+---------------| | | Network | | | | | | Security | OS patch* | OS patch* | OS patch* | | | Manager (NSM) | | | | | Vulnerable | Appliances | | | | |and |----------------+---------------+---------------+---------------| | Updated | NSM Server | OS patch* | OS patch* | OS patch* | | | Software | | | | | |----------------+---------------+---------------+---------------| | | NSM Clients | Browser | Browser | Browser | | | | patch* | patch* | patch* | | |----------------+---------------+---------------+---------------| | | McAfee Web | | | | | | Gateway (MWG) | | | | | | 7.8.1.x, | No | No | Yes | | | 7.7.2.9, | | | | | | 7.6.2.19 | | | | | |----------------+---------------+---------------+---------------| | | Threat | | | | | | Intelligence | No | No | Yes | | | Exchange (TIE) | | | | | | Server | | | | | |----------------+---------------+---------------+---------------| | | Web Gateway | | | | | | Cloud Service | | | | | | (WGCS) / SaaS | Patched | Patched | Patched | | | Web Protection | | | | | | (SWE) | | | | | |----------------+---------------+---------------+---------------| | | Web Protection | No | Yes | Yes | | | Service (WPS) | | | | |------------+----------------+---------------+---------------+---------------| | | Advanced | | | | | Vulnerable | Threat Defense | | | | | and Not | (ATD) 4.x | | | | |Yet |----------------+---------------+---------------+---------------| | Updated | McAfee Email | | | | | | Gateway (MEG) | | | | |------------+----------------+---------------+---------------+---------------| | | Network DLP | | | | | | 9.3.4 | | | | | |----------------+---------------+---------------+---------------| | | Network | | | | | | Security | | | | | | Platform (NSP) | | | | | | Sensor | | | | | | Hardware | | | | | | Appliances | | | | |Vulnerable |----------------+---------------+---------------+---------------| | but Low | NSP Sensor | | | | | Risk | Virtual | | | | | | Appliances | | | | | |----------------+---------------+---------------+---------------| | | Network Threat | | | | | | Behavior | | | | | | Analysis | | | | | | (NTBA) Sensor | | | | | | Hardware | | | | | | Appliances | | | | | |----------------+---------------+---------------+---------------| | | SIEM | | | | |------------+----------------+---------------+---------------+---------------| | | Products that | | | | | Not | do not ship | | | | | Vulnerable | with an | | | | | | operating | | | | | | system | | | | +-----------------------------------------------------------------------------+ * Check with the OS or browser vendor for patch availability. Download and Installation Instructions See KB56057 for instructions on how to download McAfee products, documentation, security updates, patches, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates. Product Specific Notes Below is a list of McAfee appliances and their status. ATD Physical Appliance - All versions of ATD (3.6, 3.8, 3.10, 4.0, 4.2) are impacted. ATD will release the fix for this vulnerability. Virtual Appliance - All versions of ATD (3.6, 3.8, 3.10, 4.0, 4.2) are impacted. ATD will release the fix for this vulnerability. Also, the host system that has ATD VM running needs to be patched if the vulnerability impacts the system. McAfee recommends that customers currently running ATD 3.6 and 3.8 first upgrade to latest ATD 4.0 software and apply the patch releases containing the vulnerability fix. Customers currently running ATD 4.0 or 4.2 need to update to the patch releases. Data Loss Prevention Appliances: Network DLP 9.3.4 Network DLP 9.3.4 is vulnerable but not exploitable. The Network DLP 9.3 appliance is a closed system - only the administrator has the option of uploading and executing untrusted code. Any untrusted code will be executed with full system privileges so that attempts to exploit Meltdown or Spectre cannot enable access to additional information not already available to the administrator. As a best practice McAfee recommends that you use a strong password for authentication with Network DLP appliances. Also, place them in a DMZ with an external firewall that limits access to appliance IP addresses and ports. Network DLP 10.x, 11.x Vulnerable: The Meltdown/Spectre exploit is a local privilege escalation vulnerability. Network DLP Prevent and Monitor are vulnerable but not directly exploitable because Network DLP Prevent and Monitor do not run untrusted code. The risk is low given that another vulnerability would be needed to take advantage of Meltdown/Spectre. A kernel update is available that mitigates the Spectre issue and fixes the Meltdown issue. Microcode updates from Intel (currently in beta) will be made available in a future release to complete the fix for the Spectre issue. The fix for these vulnerabilities introduces up to a 5% drop in performance on virtual appliances. Increase resource allocation to the virtual appliances by 5% to meet existing sizing requirements. Email Appliances: MEG Vulnerable: The Meltdown/Spectre exploit is a local privilege escalation vulnerability. MEG is vulnerable but not directly exploitable because MEG does not run untrusted code. The risk is low given that another vulnerability would be needed to take advantage of Meltdown/Spectre. A kernel patch is in test for MEG 7.6.40x. MVM MVM appliances use Microsoft Windows Server 2008 R2 and Intel processors and are therefore vulnerable to these CVEs: CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. Install the Windows security update KB4056897 and any other relevant security updates on the appliances for mitigation. Network/IPS Appliances: NSP NSP is vulnerable to Meltdown and Spectre. To exploit any of these vulnerabilities, an attacker must be able to run crafted code on the affected device. NSP Sensor Hardware Appliances All NSP Sensors are closed systems. They do not allow any remotely delivered code to execute on the device, nor users to execute code locally. Although the underlying CPU and kernel combination in these appliances might be classified as unpatched, the inability for local execution of malicious code makes them non-exploitable and effectively not vulnerable. There is no known vector to exploit them. NSP Sensor Virtual Appliances NSP Sensor Virtual Appliances follow the same rationale as the physical appliances. But, it is critical that the underlying system hosting the NSP VM is patched, if its CPU exhibits either of the above vulnerabilities. NSM Appliances The NSM Windows Appliance is a general-purpose computer and can be classified as exploitable. The NSM Linux Appliance is a somewhat closed general-purpose computer and is classified as exploitable to a lesser extent. These appliances will receive an operating system patch to remediate the vulnerabilities. The following NSM hardware platforms are impacted. Windows * NSM-GLBL-NG (GLBL, MFE Network Sec Glbl Manager Appl-NG) * NSM-STND-NG (STND, MFE Network Sec Manager Appl-NG) * NSM-STND-NG-FO (FAOV, MFE Network Sec Manager FO Appl-NG) * NSM-STND-NG-UP (AUPG, MFE Network Sec Manager UPG Appl-NG) Linux * NSM-MAPL-NG (NSM, MFE Network Security Manager Appl NG) NSM Server Software Customer-provided Windows machines that run NSM software are also deemed exploitable and should be patched quickly. See the guidance from Microsoft. There is no patch required for the NSM software itself. NSM Clients Customers are advised to review and apply any browser patches that mitigate/ suppress the delivery of attacks associated with these vulnerabilities. See the guidance from the browser vendors. NTBA Sensor Hardware Appliances All Sensor Appliances are closed systems. They do not allow any remotely delivered code to execute on the device, nor users to execute it locally. Although the underlying CPU and kernel combination in these appliances might be classified as unpatched, the inability for local execution of malicious code make them non-exploitable and effectively not vulnerable. There is no known vector to exploit them. SIEM Appliances: SIEM SIEM is a closed system. Unprivileged local users are not able to execute arbitrary code. Nevertheless, SIEM expects to address this vulnerability in a future version update. Web Appliances: WGCS / SWE The underlying operating system of the Web Gateway Cloud Platform has been successfully patched to prevent exploiting the vulnerability. WPS The underlying operating system of the Web Gateway Cloud Platform has been successfully patched to prevent exploiting the vulnerability. MWG Vulnerable: The impact of Meltdown/Spectre for MWG appliances is a local privilege escalation that might allow reading kernel memory or memory from other processes. This scenario is not directly exploitable because MWG does not run untrusted code, so another vulnerability would be needed to take advantage of Meltdown/Spectre. Given that configuration, the risk for MWG is considered low. Low Risk: Despite a low risk score, a Linux kernel patch is in test for MWG 7.7 and 7.8, both appliances and virtual. McAfee is also monitoring availability of microcode for CPUs of the appliance models and will make them available with BIOS patches. Appliances Impacted: Because of the breadth of the issue, the appliances impacted are essentially all current and historic models. The MWG version that includes the Linux kernel patch for the OS is the one that is important for resolution. Performance: McAfee has a detailed performance and latency test as part of its build and release process. We spend specific effort on the Linux kernel update to ensure that the Kernel patch does not impact the overall system performance. Tests are not yet complete and we will advise officially when the update releases. But, current test results are positive and indicate that the existing sizing recommendations for MWG appliances will not change with the update. Mitigations NSM SigSet Detection These vulnerabilities are host-specific. In theory, it might be possible to exploit hosts via the network (using JavaScript). Signature coverage for these vulnerabilities was made available via the signature set release on January 9, 2018. Acknowledgements None. Frequently Asked Questions (FAQs) How do I know whether my McAfee product is vulnerable or not? For Endpoint products: Endpoint products are not affected. McAfee recommends that customers apply operating system patches if available. For ePO: ePO is not affected. McAfee recommends that customers apply operating system patches to the ePO server and ePO database server if available. For Appliances: Use the following instructions for Appliance-based products: 1. Open the Administrator's User Interface (UI). 2. Click the About link. The product version is displayed. What is CVSS? CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: http://www.first.org/cvss/. When calculating CVSS scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored. What are the CVSS scoring metrics that have been used? CVE-2017-5715 - Spectre +--------------------------------------------------+ | Base Score | 5.6 | |---------------------------+----------------------| | Attack Vector (AV) | Local (L) | |---------------------------+----------------------| | Attack Complexity (AC) | High (H) | |---------------------------+----------------------| | Privileges Required (PR) | Low (L) | |---------------------------+----------------------| | User Interaction (UI) | None (N) | |---------------------------+----------------------| | Scope (S) | Changed (C) | |---------------------------+----------------------| | Confidentiality (C) | High (H) | |---------------------------+----------------------| | Integrity (I) | None (N) | |---------------------------+----------------------| | Availability (A) | None (N) | |---------------------------+----------------------| | Temporal Score (Overall) | 5.1 | |---------------------------+----------------------| | Exploitability (E) | Proof-of-Concept (P) | |---------------------------+----------------------| | Remediation Level (RL) | Temporary Fix (T) | |---------------------------+----------------------| | Report Confidence (RC) | Confirmed (C) | +--------------------------------------------------+ NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/ A:N/E:P/RL:T/RC:C CVE-2017-5753 - Spectre +--------------------------------------------------+ | Base Score | 5.6 | |---------------------------+----------------------| | Attack Vector (AV) | Local (L) | |---------------------------+----------------------| | Attack Complexity (AC) | High (H) | |---------------------------+----------------------| | Privileges Required (PR) | Low (L) | |---------------------------+----------------------| | User Interaction (UI) | None (N) | |---------------------------+----------------------| | Scope (S) | Changed (C) | |---------------------------+----------------------| | Confidentiality (C) | High (H) | |---------------------------+----------------------| | Integrity (I) | None (N) | |---------------------------+----------------------| | Availability (A) | None (N) | |---------------------------+----------------------| | Temporal Score (Overall) | 5.1 | |---------------------------+----------------------| | Exploitability (E) | Proof-of-Concept (P) | |---------------------------+----------------------| | Remediation Level (RL) | Temporary Fix (T) | |---------------------------+----------------------| | Report Confidence (RC) | Confirmed (C) | +--------------------------------------------------+ NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/ A:N/E:P/RL:T/RC:C CVE-2017-5754 - Meltdown (Intel Processors) +--------------------------------------------------+ | Base Score | 5.6 | |---------------------------+----------------------| | Attack Vector (AV) | Local (L) | |---------------------------+----------------------| | Attack Complexity (AC) | High (H) | |---------------------------+----------------------| | Privileges Required (PR) | Low (L) | |---------------------------+----------------------| | User Interaction (UI) | None (N) | |---------------------------+----------------------| | Scope (S) | Changed (C) | |---------------------------+----------------------| | Confidentiality (C) | High (H) | |---------------------------+----------------------| | Integrity (I) | None (N) | |---------------------------+----------------------| | Availability (A) | None (N) | |---------------------------+----------------------| | Temporal Score (Overall) | 5.1 | |---------------------------+----------------------| | Exploitability (E) | Proof-of-Concept (P) | |---------------------------+----------------------| | Remediation Level (RL) | Temporary Fix (T) | |---------------------------+----------------------| | Report Confidence (RC) | Confirmed (C) | +--------------------------------------------------+ NOTE: The below CVSS version 3.0 vector was used to generate this score. https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/ A:N/E:P/RL:T/RC:C Where can I find a list of all security bulletins or how do I report a product vulnerability? To find a list of all security bulletins, or if you have information about a security issue or vulnerability with a McAfee product, visit our product security website at: http://www.mcafee.com/us/threat-center/ product-security-bulletins.aspx. Disclaimer The information provided in this security bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any future product release dates mentioned in this security bulletin are intended to outline our general product direction and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWo+euox+lLeg9Ub1AQj1yw//T0ltLaX+mlXcQMJspqIlLRvOs5zAVjYh UBgU5a0pAaPM/DH/FoOKcMdyHSuZGCpClEs3scnTqBozNrlZDZgRfCC6SgIEpjoc wPrYC+0ETqmnhArOpBZF1Wch7b36F363gQm0akM1ST+hzeuSP6tm1Ymb3fhRB5wN hfZ3mNc/FC8y8Umc7sK3xS3YNIbi2q97GwrZ7dNeIhBFeAmiXDwpTpUT/nClARMK JaT5ad9HNatnaFNDhUgGeEiulIcD+2HTwZFW++X96zPJcNIRQHuUkAxK31+jQ6me BmQ15Hx/vw0PbutMrpwd+r482XUfLpgEUb3r48wqKBCW1dmUyQPRnV0HX6Gi/RYy ZE/3avp4hafcHwroqpuLcW9CGkhf/G9uGoPwkKFeZKqZ+rcth7ycNWt7TRDoMtCL 9YPUKjRAFaLIl107cOvyTR7nirCL+YUYZPuLTDDPqEhCvLa+2AidWh6FmMTk6WXA v13mfpoDVXUngQakB3qYgo+gYf1gaJdNiC18CBjIpD1SyHITMlIPDuxt6nt6PWLq FOjBXli7wjwD2TZpaIwDE4NEvuHKpGpuc/KFSevzSN0FLv3vSGtUdcEPhqEU5j7L oaC+eiGlnErNruyrIDquJN2aCc+aYjIXiuAuwJ1LC5QjqXhKapSiCgmSA0nmSc8T MHx3NCdUNWA= =F+Qj -----END PGP SIGNATURE-----