UPDATED -- Information about Meltdown and Spectre findings

by emoret 3 weeks ago - edited 2 weeks ago by Community Manager (11,698 Views)

[Post was originally published on Thursday, Jan. 4, 2018 and updated on Friday, Jan. 12, 2018]

 

Background

 

On January 3, 2018, security researchers released information on three vulnerabilities, known as Meltdown and Spectre [1], that affect modern CPU architectures (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). Our product security team reviewed the impact of these vulnerabilities on our products, and found:

  • PAN-OS devices: No increased risk and patching is not required at this time.

This bulletin will be updated as more information becomes available.

 

Impact

 

PAN-OS

 

PAN-OS/Panorama platforms are not directly impacted by these vulnerabilities, as successful exploitation on PAN-OS devices requires an attacker to have already compromised the PAN-OS operating system. We treat any vulnerability that compromises PAN-OS to allow the execution of unsigned code as a critical one. Any such vulnerability would be urgently updated and made available in a PAN-OS maintenance update for all supported versions of PAN-OS software.

 

Because of the low risk of the issue and the relatively high risk around code changes, the risk and impact must be carefully considered and thoroughly understood.  We will continue to monitor the situation as it evolves, and to evaluate update options available from our partner vendors as they become available.  We will update this bulletin with updates regarding software updates or other mitigations as they become available.

 

For more background, please see the following blog post.

 

Mitigations and Workarounds

 

General

 

Customers looking to mitigate their exposure to Meltdown and Spectre on their endpoints are encouraged to consult with their equipment manufacturers and operating system vendors on steps to patch or mitigate exposure.

 

Starting with content version 763, we began releasing coverage for specific exploitations of these attacks.  New coverage is added as we become aware of new attacks or proof-of-concept code.

 

PAN-OS

 

No action is required at this time.  This bulletin will be updated as more information becomes available.

 

Protection using Traps

 

Traps anti-exploitation mechanisms will not protect against exploiting of these vulnerabilities. The disclosed vulnerabilities are memory read vulnerabilities. They do not cause code execution. For an attacker to use these vulnerabilities, there likely would have been an initial attack phase that Traps may be able to prevent (e.g. a malicious EXE attempts to exploit the vulnerabilities).  Today, customers will need to apply the necessary Microsoft Windows patches and manually set the registry key to enable Traps to continue protecting systems.  The steps to set the registry key have been provided in detail in the following Knowledge Base article.

 

Please note: While setting the registry key is a manual process today, we are actively working on an update that will automatically set this registry key, which will be released in the coming weeks. We will update this post with details once the update is available.

 

Conclusion

 

Your security is our top priority and our product security team continues to monitor the impact of this research and evaluate patching options from our partner vendors as they become available.

 

We will provide updates to this article as they become available. Should you have any questions, please contact our Global Customer Support Team at support.paloaltonetworks.com.

 

Reference

[1] https://meltdownattack.com/

 

 

Change Log

 

Thursday, Jan. 11, 2018

  • Post updated to include additional information on PAN-OS.

 

Friday, Jan. 12, 2018

  • Post updated to include additional information on an upcoming Traps update
Ignite 2018
Ask Questions Get Answers Join the Live Community