Alcatel-Lucent Security Advisory No. SA-N0053 Ed. 03 Information on MELTDOWN and SPECTRE Vulnerabilities for Networking Portfolio

Alcatel-Lucent Security Advisory No. SA-N0053 Ed. 03 Information on MELTDOWN and SPECTRE vulnerabilities for Networking portfolio

Summary Two new vulnerabilities called Meltdown and Spectre, have been discovered that exploit techniques, speculative execution and page table management, implemented in modern processors that could allow malicious programs to access information from the memory of other programs executing on the processor. This Security Advisory provides information about ALE Networking portfolio, explaining that the risk on ALE network products is rated low/medium. Description of Issue Security researchers have discovered that CPU operations related to speculative execution and page table management can be abused to leak information leading to arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. The following three variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. Spectre: Variant 1: bounds check bypass (CVE-2017-5753) Variant 2: branch target injection (CVE-2017-5715) Variant 3a: Rogue System Register Read – CVE-2018-3640 Variant 4: Speculative Store Bypass – CVE-2018-3639

Meltdown: Variant 3: rogue data cache load (CVE-2017-5754)

Full details of the "Meltdown" and "Spectre" vulnerabilities can be found at the following URLs: - https://meltdownattack.com/ - https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html

Risk evaluation on ALE products ALE OmniSwitch and OmniAccess Stellar WLAN products are based on a number of different CPU architectures, some of which are affected by the reported vulnerabilities. However, the required conditions to exploit these vulnerabilities are not supported in ALE products, i.e. the installation and execution of arbitrary code or process that could leverage the attack techniques. In order to exploit this vulnerability, an attacker would require the ability to develop and install code for the specific product and would require privileged level access to the device. An attacker that has already gained privileged level access to the device would be able to compromise the device without the need for further exploits.

ALE OmniVista 2500 deployed as a virtual appliance running under a hypervisor could be impacted by the exploitation of these vulnerabilities on the machine hosting the OmniVista2500 virtual appliance if the hypervisor is vulnerable. Untrusted users could then have access to other guest systems running under the same hypervisor, and an attacker may be able to access memory from the concurrent OmniVista 2500 virtual appliance. Please contact your virtualization vendor to determine whether updates are available.

The ALE OmniVista 2500 can also be deployed on a dedicated appliance platform. In such a deployment, the appliance could be based on a CPU architecture that is susceptible to the reported vulnerabilities. However, if the appliance is dedicated to OmniVista 2500 and access to the appliance is limited to authorized personnel, the conditions necessary to exploit the vulnerabilities are not supported.

Proof of concept code has been published based on the Meltdown and Spectre vulnerabilities, but none of the published code is directly applicable to Alcatel-Lucent Enterprise products. In addition, as stated above, executing the code requires a user with privileged access to the ALE Networking products. Considering the attack expertise (skilled) and requirements (access account with sufficient privilege), the risk level of these vulnerabilities is rated as low/medium for ALE products.

Additional Information about Variants 3a and 4 New variants known as Spectre 3A and 4 of the side-channel central processing unit (CPU) hardware vulnerability were publicly disclosed, see https://bugs.chromium.org/p/project-zero/issues/detail?id=1528 These variants are of the same nature with same prerequisites as variants 1 to 3. The relative impacts and conclusions apply in a similar manner to ALE products as detailed below.

Recommended Actions Users of ALE Networking products are reminded to ensure that access to these products is secured with management roles assigned to the minimum number of authorized personnel, and to follow recommend security installation measures and configuration.

ALE recommends applying security updates as soon as they are available.

As part of a defense-in-depth strategy, Alcatel-Lucent Enterprise will continue to investigate kernel patches, CPU microcode updates, and other mitigations for the OmniSwitch and OmniAccess Stellar products. This advisory will be updated with any relevant information when it is available.

Status on Alcatel-Lucent Enterprise Networking Products As stated, ALE Networking products are not directly vulnerable to these issues even though running on platforms that embed CPUs with the reported flaws.

Product Name Status OmniSwitch products Not impacted OmniAccess Stellar products Not impacted OmniVista 2500 Potential impact – low/medium. Contact hypervisor supplier for any updates.

Complimentary information for AOS-W based products can be found in SA-N0052 available on ALE PSIRT website https://www.al-enterprise.com/en/support/security-advisories

History Ed.01 (2018 January 10th): advisory creation Ed.02 (2018 April 16th): Additional clarification on products. Ed.03 (2018 June 14th): Additional information related to newly disclosed variants 3a and 4.

This advisory will be updated with impact status and security updates when available.