2018-01 Out of Cycle Security Bulletin: Meltdown & Spectre: CPU Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method

  [JSA10842] Show Article Properties


Product Affected:
See Problem and Solution sections below.
Problem:
Modern microprocessors that implement speculative execution of instructions are susceptible to a new class of cache timing attacks being called "Meltdown" and "Spectre".  These vulnerabilities could allow an attacker to read privileged memory which may contain sensitive information such as passwords or encryption keys.

There are three known variants of the issue:
  • Variant 1: bounds check bypass (CVE-2017-5753)
  • Variant 2: branch target injection (CVE-2017-5715)
  • Variant 3: rogue data cache load (CVE-2017-5754)

​Almost all modern CPUs, including the ones in most Juniper products, use speculative execution and are potentially susceptible to these types of attacks. However, it is important to note that in order to exploit this weakness and gain access to restricted memory, the attack requires executing crafted code on the device.
 
Most Juniper devices are deployed in a manner that will offer multiple layers of protection against successful exploit of these issues:
  • Limiting access to critical infrastructure networking equipment to only trusted administrators from trusted administrative networks or hosts will prevent untrusted code execution, which is required for successful exploitation of these vulnerabilities.
  • Furthermore, most products running Junos OS can only execute code signed by Juniper (e.g. veriexec code-signing validation in Junos OS).  This ensures that only code signed by Juniper can be executed on the device.  Administrators can check whether veriexec is enforced by running the following command from the Junos OS shell:
% sysctl security.mac.veriexec.state
if veriexec is enforced, the output should be:
security.mac.veriexec.state: loaded active enforce
Additionally, on the platforms where veriexec is not enforced, the ability to load or execute code is limited only to privilege users.

Note: on older Junos OS versions, the above command might give a different result, on these releases the alternative command is: 
/sbin/veriexec -i enforce
the exit status will be 0 (true) if it is being enforced.
If veriexec is enforced:
% /sbin/veriexec -i enforce || echo "ERROR: veriexec not enforced"
%
If veriexec is not enforced:
% /sbin/veriexec -i enforce || echo "ERROR: veriexec not enforced"
ERROR: veriexec not enforced
%
 
Either of these defenses is sufficient to ensure there is no exposure to privileged memory being read by an unauthorized user as a result of these vulnerabilities.
 
Deployments where users can execute untrusted code, including many virtualized, container, Flex, and application products are potentially impacted.  Customers should follow standard BCPs to limit exposure and apply fixes as they become available.
Solution:

Product Status:

Juniper SIRT is actively investigating the impact on Juniper Networks products and services. 

The following products may contain affected microprocessors and operating systems, the defenses above should be used to eliminate exposure:​
  • Junos OS based platforms
  • Junos Space appliance
  • Qfabric Director
  • CTP Series
  • NSMXpress/NSM3000/NSM4000 appliances 
  • STRM/Juniper Secure Analytics (JSA) appliances
  • SRC/C Series
  • Contrail on Ubuntu

The following products are not impacted. They do not have the components or scenarios required for exploitation of these vulnerabilities:
  • ScreenOS / Netscreen platforms
  • JUNOSe / E Series platforms
  • BTI platforms
  • Cyphort appliance
  • SRX100 Series / SRX200 Series / SRX300 Series / SRX550 / SRX650
  • LN1000 and LN2600 Security Routers
  • CBA Series Wireless WAN Bridge

The following products should get fixes for the platforms on these are deployed from platform vendors:​
  • ​Contrail Product Family (including Contrail Networking, Contrail Security and Contrail Cloud):
- For Ubuntu based platforms: customers will require an upstream patch from: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
  Additionally, there will be a Contrail release to incorporate relevant fixes.
- For Redhat based platforms: customers will require an upstream patch from https://access.redhat.com/errata/RHSA-2018:0007/
  No further Contrail patch is required from Juniper.
- For Centos based platforms: customers will require an upstream patch from: https://lists.centos.org/pipermail/centos-announce/2018-January/
  No further Contrail patch is required from Juniper.
  • AppFormix
- AppFormix is pure software application product, it is indirectly impacted. Customer should patch their host
  • WANDL IP/MPLSView
 
Juniper is continuing to investigate our product portfolio for affected products that are not mentioned above. As new information becomes available this document will be updated.
 
Where possible, Juniper will be developing software fixes that prevent these type of attacks.  This JSA will be updated as those fixes become available for Juniper devices.
Workaround:
In order to mitigate this vulnerability, only run software from trusted sources.  It is also recommended to limit the access to critical infrastructure networking equipment to only trusted administrators from trusted administrative networks or hosts.
 
Modification History:
2018-01-05: Initial publication
2018-01-08: Minor update on the Product Status section
​2018-01-11: Update on the problem description with regards to information on multiple layers of protection​ and minor update on product status
​2018-01-12: Update on the Product Status section
2018-01-18: Update on the Product Status section SRX6500->SRX650
2018-01-24: Additional information to check veriexec enforcement on older Junos OS releases: /sbin/veriexec -i enforce
2018-02-02: Update on the Product Status section LN1000 and LN2600
2018-02-20: Update on AppFormix
2018-02-22: Update on WANDL IP/MPLSView



Related Links:
CVSS Score:
4.1 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
Risk Level:
Low
Risk Assessment:
In the case of Junos OS, in order to exploit this vulnerability an attacker must have a local authenticated privileged (admin) and needs to bypass the image validation checking.