requires a kernel update for compliance
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks.
CVSS3 Base Score 8.2
For Unitrends systems, the risk of this exploit is minimal because shell access is restricted and the complexity is high, but many customers will need this resolved for compliance testing.
Related CVEs: CVE-2017-5754, CVE-2017-5715
For Unitrends Physical Appliances and VMWare UBs, to immediately install the security update that contains protection from this threat:
Click Here: ----> How to apply Unitrends security updates
You should reboot after applying this security update in order to run the new kernel.
This risk is mitigated with Unitrends security_update v10.17 or later which includes kernel-2.6.32-696.18.7.el6. This updated CentOS6 kernel will be applied to physical and VMware UB systems.
For Xen UB VMs, this kernel is not compatible, and the host update is not yet available.
For Hyper-V UB and Azure UB, the kmod-microsoft-hyper-v rpm to support this has not yet been released.
With v10.18 on 01/09/2018, the Unitrends security_update adds a qemu-kvm-0.12.1.2-2.503.el6_9.4.x86_64.rpm package also.
Note that the new kernel may have a performance impact. Red Hat estimates that the impact will reduce performance in a range from 5% to 30%. Unitrends has not yet completed its own performance estimates, but we believe that our performance impact will be on the low end of this range because the speculative execution functions affected are used less on our systems.
If the new kernel performance is not satisfactory, run this command from PuTTY/ssh and reboot to revert to the previous kernel:
Note that if the UB is a guest VM on VMware ESXi, it is also important to update the VMware ESXi host. See this VMware article for details https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html..
LINK TO ADVISORIES
- https://access.redhat.com/security/cve/CVE-2017-5753 https://access.redhat.com/security/cve/CVE-2017-5754 https://access.redhat.com/security/cve/CVE-2017-5715 https://access.redhat.com/security/vulnerabilities/speculativeexecution https://access.redhat.com/errata/RHSA-2018:0008 https://access.redhat.com/errata/RHSA-2018:0024 https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html https://spectreattack.com/ https://meltdownattack.com http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5753 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5754 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5715