Vendor Update Status: Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715)

Posted on Friday, January 05, 2018
Get in touch

Last updated: 09:05 12th Jan 2018

Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. To mitigate these vulnerabilities operating system and application developers have been publishing patches and updates to mitigate these identified issues.

To mitigate the Meltdown vulnerability (CVE-2017-5754) will require a combination of operating system and processor microcode updates. Microcode is a small piece of software that is directly installed on the processor to act as an interface between the hardware and operating system. This Microcode update will be provided by OEM manufacturers and will need to be installed as part of their update mechanism.

To help Softcat’s customers we will be compiling a list of the major manufactures updates and statements to provide a central location for all the updates are they are released. All updates will be posted below.

Aruba

Statement released. Vulnerable products identified. Further investigation ongoing.

“Aruba products are based on a number of different CPU architectures, some of which are affected by the vulnerabilities. However, no Aruba product allows execution of arbitrary code by an unauthorized user. In order to exploit this vulnerability, an attacker would require that ability. Achieving code execution would require the presence of second, unrelated vulnerability, and it is likely that such a vulnerability would already allow compromise of the system without the need for further exploits.”

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt

Check Point

Statement released. To allow for the Meltdown update on Windows (ADV180002) an update will be required and the REG key will be switched automatically on signature version  December 28, 2017 or later

Additional guidance is provided here

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122103

Cisco

Vulnerability acknowledged and affected products have been identified, awaiting patches.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel

Cisco AMP has been updated to allow for the Meltdown update on Windows (ADV180002) an update will be required and the REG key will need to be switched manually.

Additional guidance is provided here

https://supportforums.cisco.com/t5/sourcefire-documents/cisco-amp-for-endpoints-compatibility-with-windows-security/ta-p/3306874

Citrix

Statement Released. Vulnerability acknowledged and some affected products have been identified and patched, some remaining products are awaiting patches.

https://support.citrix.com/article/CTX231390

Clearswift

Clearswift Product Security Advisory Concerning "Meltdown" and "Spectre" 

Clearswift made available on the 3rd January 2018 updates to the RHEL Operating System alongside an Application upgrade (4.7.1) for all Gateway products

Details have been published in a knowledge base article on our support portal and we have put out information on the products UI RSS Feed to alert customers directly. Clearswift customers are advised to login to their Clearswift Support Portal to see the article. Support Portals are accessed here - https://www.clearswift.com/support/portals (Clearswift login required to access)

Cylance

Statement released. To allow for the Meltdown update on Windows (ADV180002) an update will be required and the REG key will need to be switched manually.

Additional guidance is provided here 

https://www.cylance.com/en_us/blog/cylance-not-impacted-by-meltdown-or-spectre-vulnerabilities.html

Dell EMC

Statement Released. Vulnerability acknowledged and some affected products have been identified and patched, some remaining products are awaiting patches.

“Dell is aware of new security research describing software analysis methods related to Intel microprocessors. We are working with Intel and others in the industry to investigate and address the issue. For more information, please refer to the article posted on Intel’s website.”

“We are expecting further statements as work continues, however we have released a BIOS firmware today with enhancements to address the issue:

The following pages will be updated with the latest information on affected Dell / Dell EMC products including BIOS updates as they are available.

If you are using any PowerEdge server patch tool fed from support.dell.com (such as OpenManage Essentials and Repository Manager) you will see this update in your patch queue flagged as “urgent”.

F5 Networks

Statement Released. Vulnerability acknowledged and some affected products have been identified, awaiting further investigation.

https://support.f5.com/csp/article/K91229003

FireEye

Statement Released. Vulnerability acknowledged and some affected products have been identified, awaiting patches.

https://www.fireeye.com/blog/products-and-services/2018/01/fireeye-notice-for-meltdown-and-spectre-vulnerabilities.html

Fujitsu

Statement Released. Vulnerability acknowledged and some affected products have been identified and patched, some remaining products are awaiting patches. 

“The EMEIA support webpage below details the current publicly available information about the vulnerabilities, affected Fujitsu products and estimated availability of patches and updates for BIOS provided by Fujitsu and other vendors. Not all fixes have release dates yet, and not all BIOS versions are known yet. The webpage will be updated regularly.”

http://support.ts.fujitsu.com/content/SideChannelAnalysisMethod.asp 

HPE / Nimble

HPE has made the following system ROM updates which include an updated microcode to resolve the vulnerability:

  • HPE has provided a customer bulletin https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00039267en_us with specific instructions to obtain the updated system ROM
  • Note:
    • CVE-2017-5715 requires that the System ROM be updated and a vendor supplied operating system update be applied as well.
    • For CVE-2017-5753, CVE-2017-5754 requires only updates of a vendor supplied operating system.

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us

Intel

Statement Released. Vulnerability acknowledged and some affected products have been identified, awaiting patches.

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

Juniper Networks

Statement Released. Vulnerability acknowledged and some affected products have been identified, awaiting further investigation.

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10842&actp=RSS

Kaspersky

Statement released. To allow for the Meltdown update on Windows (ADV180002) an update will be required and the REG key will be switched automatically on before 9th January 2018.

Additional guidance is provided here

https://support.kaspersky.co.uk/14042

Lenovo

Statement Released. Vulnerability acknowledged and some affected products have been identified and patched, Some remaining products are awaiting patches. 

https://support.lenovo.com/gb/en/solutions/len-18282

McAfee

Statement released. To allow for the Meltdown update on Windows (ADV180002) an update will be required and the REG key will be switched automatically on version 15.0 R4 or later. 

Additional guidance is provided here

https://service.mcafee.com/webcenter/portal/cp/home/articleview?locale=&articleId=TS102769

Microsoft

Statement Released. Vulnerability acknowledged and affected products have been identified and patched.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

NetApp

Statement Released. Vulnerability acknowledged. Further investigation taking place.

https://security.netapp.com/advisory/ntap-20180104-0001/

Nutanix

Statement Released. Vulnerability acknowledged and some affected products have been identified, awaiting patches. 

http://download.nutanix.com/alerts/Security-Advisory_0007_v1.pdf

Further information is expected to be posted to https://portal.nutanix.com/#/page/static/fieldAdvisories (Requires Nutanix login to view)

Palo Alto

Statement released. To allow for the Meltdown update on Windows (ADV180002) an update will be required and the reg key will need to be switched manually.

Additional guidance is provided here: https://live.paloaltonetworks.com/t5/Customer-Advisories/Information-about-Meltdown-and-Spectre-findings/ta-p/193878/jump-to/first-unread-message&sa=D&ust=1515402733875000&usg=AFQjCNFk_9VQGX6leoLPLhsbth4EVxwTEQ

Pure Storage

Statement updated. Vulnerability acknowledged, affected product has been identified. Further investigation ongoing, awaiting patch.

Updates will be provided on the following field bulletin.

https://support.purestorage.com/Field_Bulletins/The_Meltdown_and_Spectre_CPU_Vulnerabilities (Pure1 login required)

Red Hat

Statement Released. Vulnerability acknowledged and some affected products have been identified and patched, some remaining products are awaiting patches.

https://access.redhat.com/security/vulnerabilities/speculativeexecution

Sophos

Statement released. Vulnerability acknowledged, affected product have been identified. Endpoint updates have been deployed. Further investigation ongoing for network appliances, awaiting patches. 

Updates will be delivered to - https://community.sophos.com/kb/en-us/128053

Supermicro

Statement Released. Vulnerability acknowledged and some affected products have been identified and patched, some remaining products are awaiting patches.

https://www.supermicro.com/support/security_Intel-SA-00088.cfm

Symantec

Statement released. To allow for the Meltdown update on Windows (ADV180002) an update will be required and the REG key will be switched automatically on version ERASER Engine 117.3.0.358 or greater. 

Additional guidance is provided here

https://support.symantec.com/en_US/article.INFO4793.html

Trend Micro

Statement released. To allow for the Meltdown update on Windows (ADV180002) an update will be required and the REG key will need to be switched manually.

Additional guidance is provided here

https://esupport.trendmicro.com/en-us/home/pages/technical-support/1118996.aspx

VMware

Statement Released. Vulnerability acknowledged and affected products have been identified and patched.

 https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html

Need more help?

If you need any further advice or support, please speak to your Softcat account manager or get in touch using the form below


Please note that the information provided is for guidance only and is provided subject to the limitations set out in our website terms of use


Get in touch
Comments

We would love to hear any comments you have about this article!

Gavin Hesse

Tuesday, January 09, 2018
Hi Adam,
FireEye response is in line with your useful article.
Please see a link for CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 (“Meltdown” and “Spectre” vulnerabilities) from FireEye Expertise here;
https://www.fireeye.com/blog/products-and-services/2018/01/fireeye-notice-for-meltdown-and-spectre-vulnerabilities.html