UPDATED -- Information about Meltdown and Spectre findings

by emoret on ‎01-04-2018 12:49 PM - edited on ‎01-26-2018 11:28 PM by Community Manager (17,653 Views)

[Post was originally published on Thursday, Jan. 4, 2018 and updated on Friday, Jan. 26, 2018]

 

Background

 

On January 3, 2018, security researchers released information on three vulnerabilities, known as Meltdown and Spectre [1], that affect modern CPU architectures (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). Our product security team reviewed the impact of these vulnerabilities on our products, and found:

  • PAN-OS devices: No increased risk and patching is not required at this time.

This bulletin will be updated as more information becomes available.

 

Impact

 

PAN-OS

 

PAN-OS/Panorama platforms are not directly impacted by these vulnerabilities, as successful exploitation on PAN-OS devices requires an attacker to have already compromised the PAN-OS operating system. We treat any vulnerability that compromises PAN-OS to allow the execution of unsigned code as a critical one. Any such vulnerability would be urgently updated and made available in a PAN-OS maintenance update for all supported versions of PAN-OS software.

 

Because of the low risk of the issue and the relatively high risk around code changes, the risk and impact must be carefully considered and thoroughly understood.  We will continue to monitor the situation as it evolves, and to evaluate update options available from our partner vendors as they become available.  We will update this bulletin with updates regarding software updates or other mitigations as they become available.

 

For more background, please see the following blog post.

 

Mitigations and Workarounds

 

General

 

Customers looking to mitigate their exposure to Meltdown and Spectre on their endpoints are encouraged to consult with their equipment manufacturers and operating system vendors on steps to patch or mitigate exposure.

 

Starting with content version 763, we began releasing coverage for specific exploitations of these attacks.  New coverage is added as we become aware of new attacks or proof-of-concept code.

 

PAN-OS

 

No action is required at this time.  This bulletin will be updated as more information becomes available.

 

Protection using Traps

 

Traps anti-exploitation mechanisms will not protect against exploiting of these vulnerabilities. The disclosed vulnerabilities are memory read vulnerabilities. They do not cause code execution. For an attacker to use these vulnerabilities, there likely would have been an initial attack phase that Traps may be able to prevent (e.g. a malicious EXE attempts to exploit the vulnerabilities).  

 

Traps 4.0.5-h1, Traps 4.1.2-h1, and later automatically set the registry key Microsoft requires to be present for their security updates to install successfully.

 

For more information on this registry key, please see Microsoft Knowledge Base Article 4072699.

 

For more information on Traps and Spectre and Meltdown, please see our Live Community posting here.

 

Conclusion

 

Your security is our top priority and our product security team continues to monitor the impact of this research and evaluate patching options from our partner vendors as they become available.

 

We will provide updates to this article as they become available. Should you have any questions, please contact our Global Customer Support Team at support.paloaltonetworks.com.

 

Reference

[1] https://meltdownattack.com/

 

 

Change Log

 

Thursday, Jan. 11, 2018

  • Post updated to include additional information on PAN-OS.

 

Friday, Jan. 12, 2018

  • Post updated to include additional information on an upcoming Traps update

 

Friday, Jan. 26, 2018

  • Post updated to include additional information on Traps update

 

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community