Loading...

Knowledge Center


McAfee Security Bulletin - Updates for microprocessors side channel analysis vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 (Meltdown/Spectre)
Security Bulletins ID:   SB10226
Last Modified:  9/19/2018
Rated:


Summary

First Published: February 16, 2018
 
 Impact of Vulnerability: Data Leakage via Privilege Escalation (CWE-269)
Privilege Escalation (CWE-274)
 
CVE Information:
CVE IDs Severity Rating CVSS v3
Base Score
Affected Products
CVE-2017-5715  Medium   5.6 Advanced Threat Defense (ATD)
Data Exchange Layer (DXL)
McAfee Active Response (MAR)
Email Gateway (MEG)
MOVE Agentless
MOVE Multi-platform
Vulnerability Manager (MVM)
Web Gateway (MWG)
Network Data Loss Prevention (NDLP)
Network Security Manager (NSM) Appliances
NSM Clients
NSM Server Software
Network Security Sensor (NSS) Hardware Appliances and Virtual Appliances
Network Threat Behavior Analysis (NTBA) Sensor Hardware Appliances
SIEM - all versions
Threat Intelligence Exchange (TIE) Server
Web Gateway Cloud Service (WGCS)
SaaS Web Protection (SWP)
Web Protection Service (WPS)
CVE-2017-5753 Medium   5.6 ATD
DXL
MAR
MEG
MOVE Agentless
MOVE Multi-platform
MVM
MWG
NDLP
NSM Appliances
NSM Clients
NSM Server Software
NSS Hardware Appliances and Virtual Appliances
NTBA Sensor Hardware Appliances
SIEM - all versions
TIE Server
WGCS
SWP
WPS
CVE-2017-5754 Medium 5.6 ATD
DXL
MAR
MEG
MOVE Agentless
MOVE Multi-platform
MVM
MWG
NDLP
NSM Appliances
NSM Clients
NSM Server Software
NSS Hardware Appliances and Virtual Appliances
NTBA Sensor Hardware Appliances
SIEM - all versions
TIE Server
WGCS
SWP
WPS
Highest CVSS v3 Base Score: 5.6 (Medium)
Recommendations: Deploy product updates as they are made available. 
Security Bulletin Replacement: None
Affected Software: See the McAfee Product Vulnerability Status lists below.
Location of updated software: http://www.mcafee.com/us/downloads/downloads.aspx

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
 
Article contents: Vulnerability Description
A set of three vulnerabilities disclosed by Intel® on January 3, 2018, named Meltdown and Spectre, impact McAfee appliance products. Spectre includes CVE-2017-5715 and CVE-2017-5753, and Meltdown includes CVE-2017-5754.

McAfee Blog Posts: Knowledge Base Articles:
  • KB90167 – Meltdown and Spectre – McAfee Product Compatibility Update (Corporate Products)
  • TS102769 – Microsoft Security Update January 2018 (Meltdown and Spectre) and McAfee consumer products
CVE-2017-5715
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5715

CVE-2017-5753
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5753

CVE-2017-5754
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5754

McAfee Product Vulnerability Status
McAfee produces several security appliances that ship with an operating system such as Linux or Windows and use Intel, AMD, or other modern processors. Meltdown impacts only Intel processors. Spectre impacts Intel, AMD, ARM, and other processors. For information regarding McAfee product update compatibility, see KB90167.

Updates that address CVE-2017-5753 and CVE-2017-5754 are available for certain McAfee products as shown in the Remediation table below. Updates for CVE-2017-5715 depend on updates to Intel microcode that are not yet available. McAfee will update the status for these updates when the microcode is available.
 
Investigation into all McAfee products is ongoing. This Security Bulletin will be updated as additional information is available. Not every version of the "Vulnerable and Updated" products are vulnerable. See the Product Specific Notes section below for details. Products not on these lists or on the "No Vulnerabilities Reported" list are being investigated. 
 
 
    Update Availability
Category Product Acronym and Versions CVE-2017-5715 (Spectre) CVE-2017-5753 (Spectre) CVE-2017-5754 (Meltdown)
Vulnerable and Updated
 
ATD 4.x No No February 22, 2018
DXL 2.2, 3.x, 4.0 April 5, 2018 January 22, 2018 January 22, 2018
MAR 2.2.0 March 13, 2018 March 13, 2018 February 9, 2018
MEG 7.6.x Under Development Under Development May 8, 2018
MOVE Agentless 4.5.1 No February 13, 2018 February 13, 2018
MOVE Multiplatform 4.6 No February 13, 2018 February 13, 2018
NDLP 10.x, 11.x No February 15, 2018 February 15, 2018
NSM Appliances September 3, 2018 September 3, 2018 September 3, 2018
MWG 7.8.1.x, 7.7.2.9 March 13, 2018 April 10, 2018 January 30, 2018
MWG 7.6.2.19 No No January 30, 2018
TIE Server March 15, 2018 March 15, 2018 March 1, 2018
       
Vulnerable but low risk, Not Yet Updated SIEM Under Development Under Development Under Development
       
Vulnerable but Low Risk
 
ATD 3.x Will Not be updated Will Not be updated Will Not be updated
NDLP 9.3.4 Will Not be updated Will Not be updated Will Not be updated
NSP Sensor Hardware Appliances Will Not be updated Will Not be updated Will Not be updated
NTBA Sensor Hardware Appliances Will Not be updated Will Not be updated Will Not be updated
       
Require OS/browser updates
 
MVM Confirm update availability with OS Vendor Confirm update availability with OS Vendor Confirm update availability with OS Vendor
NSM Clients Confirm update availability with Browser Vendor Confirm update availability with Browser Vendor Confirm update availability with Browser Vendor
NSM Server Software Confirm update availability with OS Vendor Confirm update availability with OS Vendor Confirm update availability with OS Vendor
NSP Sensor Virtual Appliances Confirm update availability with Host OS Vendor Confirm update availability with Host OS Vendor Confirm update availability with Host OS Vendor
       
Not Vulnerable
 
Products that do not ship with an OS Not Applicable Not Applicable Not Applicable
       
Services Patched by McAfee
 
WGCS / SWE January 30, 2018 January 30, 2018 January 30, 2018
WPS January 30, 2018 January 30, 2018 January 30, 2018
 
No Vulnerabilities Reported
  1. Data Loss Prevention Endpoint (DLP Endpoint) / Host Data Loss Prevention (HDLP)
  2. Endpoint Security (ENS)
  3. ePO Cloud / ToPS Server (TPS)
  4. ePolicy Orchestrator (ePO)
  5. Host Intrusion Prevention Services (Host IPS)
  6. McAfee Agent (MA)
  7. VirusScan Enterprise (VSE)
  8. VirusScan Enterprise for Storage (VSES)
Other McAfee products that do not ship with an operating system
 
For a description of each product, see: http://www.mcafee.com/us/apps/products-az.aspx
 
Remediation
Go to the Product Downloads site and download the applicable product patch/hotfix files:
 
Product Versions Type Fixed Version Release Date
ATD 4.0 Update 4.0.6 February 22, 2018
ATD 4.2 Update 4.2.2 February 22, 2018
DXL 4.0.0 Hotfix HF 5 (build 4.0.0.454.1)  March 27, 2018
DXL 3.1.0 Hotfix HF 13 (build 3.1.0.630.1)  March 20, 2018
DXL 3.0.1 Hotfix HF 9 (build 3.0.1.217.6) April 5, 2018
DXL 3.0.0 Hotfix HF 11 (build 3.0.0.390.3) April 5, 2018
DXL 2.2.0 Hotfix HF 9 (build 2.2.0.274.3) April 5, 2018
NDLP 11.x Hotfix 11.0.201 February 15, 2018
NDLP 10.x Hotfix 10.0.301 February 15, 2018
NSP Appliances 3.x Hotfix NSM_MLOS-3.5.0.9465_V1 Version 3.30 September 3, 2018
MEG 7.6.x Hotfix MEG-7.6.406h1252891-3484.101.zip September 20, 2018
MAR 2.2.0 Hotfix 2.2.0.269 March 13, 2018
MOVE Agentless 4.5.1 Hotfix HF 1224059 (build 4.5.1.302) February 13, 2018
MOVE Multiplatform 4.6 Hotfix HF 1227059 (build 4.6.0.429) February 13, 2018
MWG   7.8.0.x Update 7.8.1.4  April 10, 2018
MWG 7.7.2.x Update 7.7.2.12 April 10, 2018
MWG 7.6.2.x Update 7.6.2.19 February 13, 2018
TIE 2.1.1 Hotfix HF 3 (build 2.1.1.241) March 15, 2018
 
Download and Installation Instructions
See KB56057 for instructions on how to download McAfee products, documentation, security updates, other updates, and hotfixes. Review the Release Notes and the Installation Guide, which you can download from the Documentation tab, for instructions on how to install these updates.
 
Product Specific Notes
Below is a list of McAfee appliances and their status.

ATD Appliances:

Physical Appliances
All versions of ATD (3.6, 3.8, 3.10, 4.0, 4.2) are impacted. ATD 4.2.2 and 4.0.6, released February 22, 2018, update the MLOS kernel to address the Meltdown vulnerability. McAfee will address the Spectre vulnerability on ATD appliances in a future BIOS update. BIOS updates for ATD 3100 and ATD 6100 appliance models are expected to be available by end of March 2018.

Virtual Appliances:
All versions of ATD (3.6, 3.8, 3.10, 4.0, 4.2) are impacted. Also, the host system that has ATD VM running needs to be patched if the vulnerability impacts the system. ATD 4.2.2 and 4.0.6, released February 22, 2018, update the MLOS kernel to address the Meltdown vulnerability. McAfee will address the Spectre vulnerability on ATD appliances via a future BIOS update. BIOS updates for ATD 3100 and ATD 6100 appliance models are expected to be available by end of March 2018.

McAfee recommends that customers currently running ATD 3.6 and 3.8 first upgrade to latest ATD 4.0 software and then apply the updates with the vulnerability fix. Customers currently running ATD 4.0 or 4.2 need to apply the updates with the fix.
 
KB90207 contains ATD-specific information about these vulnerabilities.
 

Data Loss Prevention Appliances:

Network DLP 9.3.4
Network DLP 9.3.4 is vulnerable, but not exploitable. The Network DLP 9.3 appliance is a closed system - only the administrator has the option of uploading and executing untrusted code. Any untrusted code is executed with full system privileges so that attempts to exploit Meltdown or Spectre cannot enable access to additional information not already available to the administrator. As a best practice, McAfee recommends that you use a strong password for authentication with Network DLP appliances. Also, place them in a DMZ with an external firewall that limits access to appliance IP addresses and ports.

Network DLP 10.x, 11.x
Vulnerable: The Meltdown/Spectre exploit is a local privilege escalation vulnerability. Network DLP Prevent and Monitor are vulnerable but not directly exploitable because Network DLP Prevent and Monitor do not run untrusted code. The risk is low given that another vulnerability would be needed to take advantage of Meltdown/Spectre.
A kernel update is available that mitigates the Spectre issue and fixes the Meltdown issue. Microcode updates from Intel (currently in beta) will be made available in a future release to complete the fix for the Spectre issue. The fix for these vulnerabilities introduces up to a 5% drop in performance on virtual appliances. Increase resource allocation to the virtual appliances by 5% to meet existing sizing requirements.


Email Appliances:

MEG
Vulnerable: The Meltdown/Spectre exploit is a local privilege escalation vulnerability. MEG is vulnerable but not directly exploitable because MEG does not run untrusted code. The risk is low given that another vulnerability would be needed to take advantage of Meltdown/Spectre.


MVM Appliances:

MVM appliances use Microsoft Windows Server 2008 R2 and Intel processors, so they are vulnerable to these CVEs: CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. Install the Windows security update KB4056897 and any other relevant security updates on the appliances for mitigation.


Network/IPS Appliances:

NSP
NSP is vulnerable to Meltdown and Spectre. To exploit any of these vulnerabilities, an attacker must be able to run crafted code on the affected device.

NSP Sensor Hardware Appliances
All NSP Sensors are closed systems. They do not allow any remotely delivered code to execute on the device, nor users to execute code locally. Although the underlying CPU and kernel combination in these appliances might be classified as unpatched, the inability for local execution of malicious code makes them non-exploitable and effectively not vulnerable. There is no known vector to exploit them.

NSP Sensor Virtual Appliances
NSP Sensor Virtual Appliances follow the same rationale as the physical appliances. But, it is critical that the underlying system hosting the NSP VM is patched if its CPU exhibits either of the above vulnerabilities.

NSM Appliances
The NSM Windows Appliance is a general-purpose computer and can be classified as exploitable. The NSM Linux Appliance is a somewhat closed general-purpose computer and is classified as exploitable to a lesser extent. These appliances will receive an operating system update to remediate the vulnerabilities.

The following NSM hardware platforms are impacted.

Windows
  • NSM-GLBL-NG (GLBL, MFE Network Sec Glbl Manager Appl-NG)
  • NSM-STND-NG (STND, MFE Network Sec Manager Appl-NG)
  • NSM-STND-NG-FO (FAOV, MFE Network Sec Manager FO Appl-NG)
  • NSM-STND-NG-UP (AUPG, MFE Network Sec Manager UPG Appl-NG)
Linux
  • NSM-MAPL-NG (NSM, MFE Network Security Manager Appl NG)
NSM Server Software
Customer-provided Windows systems that run NSM software are also deemed exploitable and should be updated quickly. Install the Windows security update KB4056897 and any other relevant security updates on the appliances for mitigation. There is no update required for the NSM software itself.

NSM Clients
Customers are advised to review and apply any browser updates that mitigate/suppress the delivery of attacks associated with these vulnerabilities. See the guidance from the browser vendors.

NTBA Sensor Hardware Appliances
All Sensor Appliances are closed systems. They do not allow any remotely delivered code to execute on the device, nor users to execute it locally. Although the underlying CPU and kernel combination in these appliances might be classified as unpatched, the inability for local execution of malicious code make them non-exploitable and effectively not vulnerable. There is no known vector to exploit them.

 
SIEM Appliances:

SIEM
SIEM is a closed system. Unprivileged local users are not able to execute arbitrary code. Nevertheless, SIEM expects to address this vulnerability in a future version update.


TIE Server Appliances:

TIE Server
Vulnerable but low risk: This vulnerability is not directly exploitable in TIE Server because unprivileged local users are not able to execute arbitrary code, so another vulnerability would be needed to take advantage of Meltdown/Spectre. McAfee recommends patching TIE Server appliances as described in the Remediation section. If the TIE Server is deployed as a virtual appliance, McAfee recommends that the underlying system hosting the TIE Server VM be patched, if its CPU exhibits either of the above vulnerabilities.


Web Appliances:

WGCS / SWE
The underlying operating system of the Web Gateway Cloud Platform has been successfully patched to prevent exploiting the vulnerability.

WPS
The underlying operating system of the Web Gateway Cloud Platform has been successfully patched to prevent exploiting the vulnerability.

MWG
Vulnerable: The impact of Meltdown/Spectre for MWG appliances is a local privilege escalation that might allow reading kernel memory or memory from other processes. This scenario is not directly exploitable because MWG does not run untrusted code, so another vulnerability would be needed to take advantage of Meltdown/Spectre. Given that configuration, the risk for MWG is considered low.

Mitigations
NSM SigSet Detection
These vulnerabilities are host-specific. In theory, it might be possible to exploit hosts via the network (using JavaScript). Signature coverage for these vulnerabilities was made available via the signature set released on January 9, 2018.
 
Acknowledgements
These vulnerabilities were previously disclosed by The MITRE Corporation as CVEs.
 
Frequently Asked Questions (FAQs)
How do I know whether my McAfee product is vulnerable or not?
For Endpoint products:
Endpoint products are not affected. McAfee recommends that customers apply operating system updates if available.

For ePO:
ePO is not affected. McAfee recommends that customers apply operating system updates to the ePO server and ePO database server if available.

For Appliances:
Use the following instructions for Appliance-based products:
  1. Open the Administrator's User Interface (UI).
  2. Click the About link. The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: http://www.first.org/cvss/.

When calculating CVSS scores, McAfee has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.
 
What are the CVSS scoring metrics that have been used?
 
CVE-2017-5715 – Spectre
 
 Base Score 5.6
 Attack Vector (AV) Local (L)
 Attack Complexity (AC) High (H)
 Privileges Required (PR) Low (L)
 User Interaction (UI) None (N)
 Scope (S) Changed (C)
 Confidentiality (C) High (H)
 Integrity (I) None (N)
 Availability (A) None (N)
 Temporal Score (Overall) 5.1
 Exploitability (E) Proof-of-Concept (P)
 Remediation Level (RL) Temporary Fix (T)
 Report Confidence (RC) Confirmed (C)

NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:T/RC:C
 
CVE-2017-5753 – Spectre
 
 Base Score 5.6
 Attack Vector (AV) Local (L)
 Attack Complexity (AC) High (H)
 Privileges Required (PR) Low (L)
 User Interaction (UI) None (N)
 Scope (S) Changed (C)
 Confidentiality (C) High (H)
 Integrity (I) None (N)
 Availability (A) None (N)
 Temporal Score (Overall) 5.1
 Exploitability (E) Proof-of-Concept (P)
 Remediation Level (RL) Temporary Fix (T)
 Report Confidence (RC) Confirmed (C)

NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:T/RC:C

CVE-2017-5754 – Meltdown (Intel Processors)
 
 Base Score 5.6
 Attack Vector (AV) Local (L)
 Attack Complexity (AC) High (H)
 Privileges Required (PR) Low (L)
 User Interaction (UI) None (N)
 Scope (S) Changed (C)
 Confidentiality (C) High (H)
 Integrity (I) None (N)
 Availability (A) None (N)
 Temporal Score (Overall) 5.1
 Exploitability (E) Proof-of-Concept (P)
 Remediation Level (RL) Temporary Fix (T)
 Report Confidence (RC) Confirmed (C)

NOTE: The below CVSS version 3.0 vector was used to generate this score.
https://nvd.nist.gov/cvss/v3-calculator?vector=AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:T/RC:C

Where can I find a list of all Security Bulletins or how do I report a product vulnerability?
All Security Bulletins are published onto our external PSIRT website. Security Bulletins are retired once a product is both End of Life and End of Support.
 
If you have information about a security issue or vulnerability with a McAfee product, visit the McAfee PSIRT website.
 
Resources
To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User ID and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
Disclaimer
The information provided in this Security Bulletin is provided as is without warranty of any kind. McAfee disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the preceding limitation may not apply.
 
Any future product release dates mentioned in this bulletin are intended to outline our general product direction, and they should not be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.