On January 3, 2018, researchers disclosed three that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information . These could allow an unprivileged local attacker, in specific circumstances, to read privileged memory belonging to other processes or memory allocated to the operating system kernel.

The first two vulnerabilities, CVE-2017-5753 and CVE-2017-5715, are collectively known as Spectre. The third vulnerability, CVE-2017-5754, is known as Meltdown. The vulnerabilities are all variants of the same attack and differ in the way that speculative execution is exploited.

To exploit any of these vulnerabilities, an attacker must be able to crafted on an affected device. Although the underlying and operating system combination in a product or service may be affected by these vulnerabilities, the majority of are closed systems that do not allow to run custom code and are, therefore, not vulnerable. There is no vector to exploit them. Cisco are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor.

A Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as operating system or hypervisor, is patched against the vulnerabilities in question.

Although Cisco cloud services are not directly affected by these vulnerabilities, the on which they run may be impacted. Refer to the “Affected Products” section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services.

Cisco will release software updates that address these vulnerabilities.
This advisory is available at the following link:

Security Impact Rating: Medium

CVE: CVE-2017-5715,CVE-2017-5753,CVE-2017-5754

Source link


Please enter your comment!
Please enter your name here