Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3420
Intel CPU SRBDS side-channel vulnerability CVE-2020-0543
1 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: F5 Products
Publisher: F5 Networks
Operating System: Network Appliance
Impact/Access: Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-0543
Reference: ESB-2020.2018
ESB-2020.2006
ESB-2020.1994
Original Bulletin:
https://support.f5.com/csp/article/K25920352
- --------------------------BEGIN INCLUDED TEXT--------------------
K25920352:Intel CPU SRBDS side-channel vulnerability CVE-2020-0543
Security Advisory
Original Publication Date: 01 Oct, 2020
Security Advisory Description
Incomplete cleanup from specific special register read operations in some Intel
(R) Processors may allow an authenticated user to potentially enable
information disclosure via local access. (CVE-2020-0543)
Impact
This is a new domain bypass transient execution attack known as Special
Register Buffer Data Sampling (SRBDS). All exposure is limited to the control
plane, also known as the management plane. There is no exposure on BIG-IP
products by way of the data plane. Additionally, on the control plane, the
vulnerabilities are exploitable only by the following four authorized,
authenticated account roles: Administrator, Resource Administrator, Manager,
and iRules Manager. An attacker must be authorized to access the system in one
of these roles to attempt to exploit the vulnerabilities.
This vulnerability requires an attacker who can provide and run binary code of
their choosing on the BIG-IP platform. As a result, these conditions severely
restrict the exposure risk of BIG-IP products.
Single-tenancy products
For single-tenancy products, such as a standalone BIG-IP device, the risk is
limited to a local, authorized user employing one of the vulnerabilities to
read information from memory that they would not normally access, exceeding
their privileges. A user may be able to access kernel-space memory instead of
their own user-space.
Multi-tenancy environments
For multi-tenancy environments, such as cloud, Virtual Edition (VE), and
Virtual Clustered Multiprocessing (vCMP), the same local kernel memory access
risk applies as in single-tenancy environments. Additionally, there is a risk
of attacks across guests, or attacks against the hypervisor or host. In cloud
and VE environments, preventing these new attacks falls on the hypervisor or
host platform, which is outside the scope of F5's ability to support or patch.
Contact your cloud provider or hypervisor vendor to ensure their platforms or
products are protected against Spectre variants.
Vulnerability research
For vCMP environments, F5 believes that while the Spectre Variant attacks offer
a theoretical possibility of guest-to-guest or guest-to-host attacks, these
would be very difficult to successfully conduct in the BIG-IP environment. The
primary risk in the vCMP environment with Spectre variants only exists when
vCMP guests are configured to use a single core. If the vCMP guests are
configured to use two or more cores, the Spectre Variant vulnerabilities are
eliminated.
F5 is working with its hardware component vendors to determine the scope of
vulnerabilities across its various generations of hardware platforms. All of
the current information from the F5 vendors is represented in this security
advisory. F5 is working to obtain the remaining information from its vendors
and will update the security advisory as F5 receives new information regarding
its hardware platforms.
F5 is also testing the fixes produced by the Linux community, and is conducting
an extensive test campaign to characterize the impact of the fixes on system
performance and stability to ensure a good experience for its customers. F5
does not want to rush the process and release fixes without a full
understanding of potential issues. Given the limited exposure, the complexity
of the fixes, and the potential issues, a detailed approach is warranted, and
rushing a fix could result in an impact to system stability or unacceptable
performance costs. F5 will update this article with fixes as the fixes become
available.
Security Advisory Status
F5 Product Development has assigned ID 947709 (BIG-IP) to this vulnerability.
To determine if your product and version have been evaluated for this
vulnerability, refer to the Applies to (see versions) box. To determine if your
release is known to be vulnerable, the components or features that are affected
by the vulnerability, and for information about releases, point releases, or
hotfixes that address the vulnerability, refer to the following table. For more
information about security advisory versioning, refer to K51812227:
Understanding security advisory versioning.
+-------------------+------+----------+----------+----------+------+----------+
| | |Versions |Fixes | |CVSSv3|Vulnerable|
|Product |Branch|known to |introduced|Severity |score^|component |
| | |be |in | |1 |or feature|
| | |vulnerable| | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |16.x |16.0.0 |None | | | |
| +------+----------+----------+ | | |
| |15.x |15.1.0 |None | | | |
| +------+----------+----------+ | | |
|BIG-IP (LTM, AAM, |14.x |14.1.0 - |None | | | |
|Advanced WAF, AFM, | |14.1.2 | | | |F5 |
|Analytics, APM, +------+----------+----------+ | |hardware |
|ASM, DDHD, DNS, |13.x |13.1.0 - |None |Medium |5.9 |platforms^|
|FPS, GTM, Link | |13.1.3 | | | |2 |
|Controller, PEM, +------+----------+----------+ | | |
|SSLO) |12.x |12.1.0 - |None | | | |
| | |12.1.5 | | | | |
| +------+----------+----------+ | | |
| |11.x |11.6.1 - |None | | | |
| | |11.6.5 | | | | |
+-------------------+------+----------+----------+----------+------+----------+
| |7.x |None |Not | | | |
| | | |applicable| | | |
| +------+----------+----------+ | | |
|BIG-IQ Centralized |6.x |None |Not |Not |None |None |
|Management | | |applicable|vulnerable| | |
| +------+----------+----------+ | | |
| |5.x |None |Not | | | |
| | | |applicable| | | |
+-------------------+------+----------+----------+----------+------+----------+
|Traffix SDC |5.x |None |Not |Not |None |None |
| | | |applicable|vulnerable| | |
+-------------------+------+----------+----------+----------+------+----------+
^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is
possible that the document may be removed without our knowledge.
^2For information about the affected hardware platforms, refer to the
Vulnerable platforms section.
Vulnerable platforms
BIG-IP
+-----------+---------------+----------+
|Model |Processor types|Vulnerable|
+-----------+---------------+----------+
|BIG-IP 2xx0|Intel |Y |
+-----------+---------------+----------+
|BIG-IP 4xx0|Intel |Y |
+-----------+---------------+----------+
|BIG-IP 5xx0|Intel |Y |
+-----------+---------------+----------+
|BIG-IP 7xx0|Intel |Y |
+-----------+---------------+----------+
Security Advisory Recommended Actions
If you are running a version listed in the Versions known to be vulnerable
column, you can eliminate this vulnerability by upgrading to a version listed
in the Fixes introduced in column. If the table lists only an older version
than what you are currently running, or does not list a non-vulnerable version,
then no upgrade candidate currently exists.
Mitigation
None
Supplemental Information
o K41942608: Overview of security advisory articles
o K4602: Overview of the F5 security vulnerability response policy
o K4918: Overview of the F5 critical issue hotfix policy
o K9502: BIG-IP hotfix and point release matrix
o K13123: Managing BIG-IP product hotfixes (11.x - 16.x)
o K167: Downloading software and firmware from F5
o K9970: Subscribing to email notifications regarding F5 products
o K9957: Creating a custom RSS feed to view new and updated documents
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX3Uv9eNLKJtyKPYoAQitxBAAnWvrvhYAHd0EkI4/cm+twMAGY1mV6MuP
d2Yc5Rn5HpRY7yMhYj+kl0Rc8WZO3sqmWbEpPIsyUJkp47K0jnkuxELmvZrqJvR2
T7uabOi4oDkp+oify5IeaglAK95t91nVj7YgpwuS074YCS+JNSPcXi7bzRfnM4ws
J6PNZjFf9Mi+H6Rcp35PVQgoIAZSY02NbAbzEfxiDscV/MYt8mZ/mLnXVpY2cJV9
tgbbjGoJyEf4l9Zk7RtDlNCK21SJzo0PJQnRRnN2FowCOWmengBsEJCRJw/1aeGb
OswUhY/ptr4nWjKRh1yVu4jG91iSk5BahD4nFrT3bz4eJkj+x9Rczp0+J++5FKda
m26YOTUtSVc8nKHZHvPGCIXwO7thBRpxKk5yyZNvk4uyAap3ikINngYAMt1+sZPa
1I4IEh7YX/Ik9Kos7TmsW3f6CRBBv8MOVQr5mro7oTo0908hHT7aCRROF+tulVSa
Kn6fZUFUdM6OQNogb8s5j9LtP4icwhtXU1eADZBTahZt8lEyVISD8ad+0SX521jk
RgIkaqMmasw3mWAcEERatLePaZyYLFQezLWmsOtp52UPSewbEQBTqaK+DC3slYRa
OIdsuekHpSP2H/w26zRzUteM9Q2MK6/6WgE7MZ2i002xS2NkBJTyCPTt1A1MVG8j
h6x6dlG12Ds=
=aAur
-----END PGP SIGNATURE-----