[Post was originally published on Thursday, Jan. 4, 2018 and updated on Friday, Jan. 26, 2018]
On January 3, 2018, security researchers released information on three vulnerabilities, known as Meltdown and Spectre , that affect modern CPU architectures (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754). Our product security team reviewed the impact of these vulnerabilities on our products, and found:
PAN-OS devices: No increased risk and patching is not required at this time.
This bulletin will be updated as more information becomes available.
PAN-OS/Panorama platforms are not directly impacted by these vulnerabilities, as successful exploitation on PAN-OS devices requires an attacker to have already compromised the PAN-OS operating system. We treat any vulnerability that compromises PAN-OS to allow the execution of unsigned code as a critical one. Any such vulnerability would be urgently updated and made available in a PAN-OS maintenance update for all supported versions of PAN-OS software.
Because of the low risk of the issue and the relatively high risk around code changes, the risk and impact must be carefully considered and thoroughly understood. We will continue to monitor the situation as it evolves, and to evaluate update options available from our partner vendors as they become available. We will update this bulletin with updates regarding software updates or other mitigations as they become available.
For more background, please see the following blog post.
Mitigations and Workarounds
Customers looking to mitigate their exposure to Meltdown and Spectre on their endpoints are encouraged to consult with their equipment manufacturers and operating system vendors on steps to patch or mitigate exposure.
Starting with content version 763, we began releasing coverage for specific exploitations of these attacks. New coverage is added as we become aware of new attacks or proof-of-concept code.
No action is required at this time. This bulletin will be updated as more information becomes available.
Protection using Traps
Traps anti-exploitation mechanisms will not protect against exploiting of these vulnerabilities. The disclosed vulnerabilities are memory read vulnerabilities. They do not cause code execution. For an attacker to use these vulnerabilities, there likely would have been an initial attack phase that Traps may be able to prevent (e.g. a malicious EXE attempts to exploit the vulnerabilities).
Traps 4.0.5-h1, Traps 4.1.2-h1, and later automatically set the registry key Microsoft requires to be present for their security updates to install successfully.