Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on RSA products

2 years ago

Originally Published: 2018-01-04

Article Number

000067332

CVE Identifier(s)

CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Article Summary

RSA is aware of the new side-channel analysis attacks (also known as Meltdown and Spectre) affecting many modern microprocessors that were published by a team of security researchers on January 3, 2018. An unprivileged attacker with local user access to the system could potentially leverage these attacks to read privileged memory data that would otherwise be inaccessible.

Variant 1 (CVE-2017-5753, Spectre): Bounds check bypass
Variant 2 (CVE-2017-5715, also Spectre): Branch target injection
Variant 3 (CVE-2017-5754, Meltdown): Rogue data cache load

RSA has completed investigation of the impact of these issues on our products. This article will be updated with remediation steps as they become available for impacted products.

RSA recommends customers to follow security best practices for malware protection in general to protect against possible exploitation of these analysis methods until any future updates can be applied.

Link to Advisories

Intel Security Advisory: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
AMD Update: http://www.amd.com/en/corporate/speculative-execution
Microsoft Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
Google Project Zero Blog Post: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
Research papers: https://meltdownattack.com

Resolution

RSA Product Name	Versions	Impacted?	Details	Last Updated
3D Secure / Adaptive Authentication eCommerce		Not Impacted	Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.	2018-01-17
Access Manager	6.2	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-08
Adaptive Authentication Cloud		Impacted - Remediated	We have confirmed that our third party cloud platform provider has remediated the issue at the platform level. This remediation fully addresses the risk and requires no customer action. Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk at the OS level to customer data hosted within the environment, and OS level patches will be handled through the standard RSA vulnerability remediation process.	2018-01-17
Adaptive Authentication Hosted		Not Impacted	Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.	2018-01-17
Adaptive Authentication On-Prem	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-10
Archer Hosted (US)		Impacted - Remediated	We have confirmed that our third party cloud platform provider has remediated the issue at the platform level. This remediation fully addresses the risk and requires no customer action. Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk at the OS level to customer data hosted within the environment, and OS level patches will be handled through the standard RSA vulnerability remediation process.	2018-01-17
Archer Hosted (EMEA)		Not Impacted	Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.	2018-01-17
Archer Platform	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-08
Archer Security Operations Management (SecOps)	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-08
Archer Vulnerability & Risk Manager (VRM) - Hardware Appliance	All Supported	Not Impacted	As a single, root-user-only appliance, the reported issues do not introduce any additional security risk to a customer's environment because a root level user already has full access to all information on the system. Customers should follow the recommended best practices to protect the access of highly privileged accounts. For guidance on updating your RSA Archer VRM Hardware Appliance with the latest OS and BIOS firmware updates, refer to KB article 000036320.	2018-05-15
Archer Vulnerability & Risk Manager (VRM) - Virtual Appliance	All Supported	Not Impacted	It is a single-user, root-user-only virtual appliance. The reported issues do not introduce any additional security risk to a customer's environment for "in-guest" attacks, provided the recommended best practices to protect the access of highly privileged accounts are followed. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks. For guidance on applying OS patches to your RSA Archer VRM Virtual Appliance, refer to KB article 000036184.	2018-05-15
Authentication Manager (Hardware Appliance - Dell PowerEdge & Intel platforms)	All Supported	Not Impacted	It is a single-user, root-user-only appliance. The reported issues do not introduce any additional security risk to a customer's environment, provided the recommended best practices to protect the access of highly privileged accounts are followed.	2018-01-10
Authentication Manager (Virtual Appliance)	All Supported	Not Impacted	It is a single-user, root-user-only virtual appliance. The reported issues do not introduce any additional security risk to a customer's environment for "in-guest" attacks, provided the recommended best practices to protect the access of highly privileged accounts are followed. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks.	2018-01-10
Authentication Manager Web Tier	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-11
BSAFE C Products: MES, Crypto-C ME, SSL-C	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
BSAFE Java Products: Cert-J, Crypto-J, SSL-J	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
Data Loss Prevention (Hardware Appliance)	9.6.x, 9.5.x	Impacted - Remediated	Refer to the security advisory DSA-2018-163.	2018-09-11
Data Loss Prevention (Virtual Appliance)	9.6.x, 9.5.x	Impacted - Remediated	Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks. Refer to the security advisory DSA-2018-163 for updating guest operating system to prevent "in-guest" attacks.	2018-09-11
Data Protection Manager (Software)	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-08
Data Protection Manager (Hardware Appliance)	All Supported	Impacted - Remediated	RSA Data Protection Manager 3.5.2.6.1 contains resolution for this issue. For more details, refer to the security advisory DSA-2018-078.	2018-05-31
Data Protection Manager (Virtual Appliance)	All Supported	Impacted - Remediated	Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks. RSA Data Protection Manager 3.5.2.6.1 contains resolution for this issue. For more details, refer to the security advisory DSA-2018-078.	2018-05-31
DCS: Certificate Manager	6.9	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
DCS: Validation Manager	3.2	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
eFraudNetwork (eFN)		Not Impacted	Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.	2018-01-17
enVision	EOL		The product has reached End of Life. Please refer to the Product Version Life Cycle for RSA enVision page on RSA Link.	2018-01-11
Federated Identity Manager	4.2	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-08
FraudAction (OTMS)		Not Impacted	Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.	2018-01-17
Identity Governance and Lifecycle (Software), Via Lifecycle and Governance (Software), Identity Management & Governance (Software)	7.0.2, 7.0.1, 7.0, 6.9.1, 6.9.0	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-08
Identity Governance & Lifecycle (Hardware Appliance), Via Lifecycle & Governance (Hardware Appliance), Identity Management & Governance (Hardware Appliance)	7.0.2, 7.0.1, 7.0, 6.9.1, 6.9.0	Impacted	Remediation plan is in progress. An appliance updater with OS updates and a security advisory on applying the BIOS fix will be made available (target date: TBD). Any Remote Agents or Remote AFX deployed in customer environment are a software product only and are not impacted. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-24
Identity Governance and Lifecycle SaaS / MyAccessLive		Impacted - Remediated	We have confirmed that our third party cloud platform provider has remediated the issue at the platform level. This remediation fully addresses the risk and requires no customer action. Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk at the OS level to customer data hosted within the environment, and OS level patches will be handled through the standard RSA vulnerability remediation process. Any Remote Agents or Remote AFX deployed in customer environment are a software product only and are not impacted. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-15
NetWitness Endpoint (ECAT)	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-08
NetWitness Logs & Packets / Security Analytics (Hardware Appliance)	All Supported	Not Impacted	As a single, root-user-only appliance, the reported issues do not introduce any additional security risk to a customer's environment because a root level user already has full access to all information on the system. Customers should follow the recommended best practices to protect the access of highly privileged accounts. The BIOS/OS updates will be incorporated to the product release as part of the regular patching process (current target date is February, 2018).	2018-01-17
NetWitness Logs & Packets / Security Analytics (Virtual Appliance)	All Supported	Not Impacted	It is a single-user, root-user-only virtual appliance. The reported issues do not introduce any additional security risk to a customer's environment for "in-guest" attacks, provided the recommended best practices to protect the access of highly privileged accounts are followed. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks.	2018-01-11
NetWitness Logs & Packets / Security Analytics - Legacy Windows Collector	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-10
NetWitness Live Infrastructure		Not Impacted	Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.	2018-01-17
RSA Authentication Client (RAC)	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-10
RSA Central		Not Impacted	Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.	2018-01-17
SecurID Access Cloud Service	All Supported	Impacted - Remediated	We have confirmed that our third party cloud platform provider has remediated the issue at the platform level. This remediation fully addresses the risk and requires no customer action. Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk at the OS level to customer data hosted within the environment, and OS level patches will be handled through the standard RSA vulnerability remediation process.	2018-01-15
SecurID Access IDR VM	All Supported	Not Impacted	Access to the virtual appliance OS to load external code is restricted to highly privileged accounts only. The reported issues do not introduce any additional security risk to a customer's environment for potential "in-guest" attacks, provided the recommended best practices to protect the access of highly privileged accounts are followed. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks.	2018-01-15
SecurID Agent for PAM	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Agent for Web	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Agent for Windows	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Authenticate App for Android	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-11
SecurID Authenticate App for iOS	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-11
SecurID Authenticate App for Windows 10	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-11
SecurID Authentication Engine	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Authentication SDK	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Software Token Converter	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Software Token for Android	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Software Token for Blackberry	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Software Token for Desktop	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Software Token for iPhone	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Software Token for Windows Mobile	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Software Token Toolbar	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Software Token Web SDK	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SecurID Transaction Signing SDK	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-09
SYN		Impacted - Remediated	We have confirmed that our third party cloud platform provider has remediated the issue at the platform level. This remediation fully addresses the risk and requires no customer action. Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk at the OS level to customer data hosted within the environment, and OS level patches will be handled through the standard RSA vulnerability remediation process.	2018-01-17
Web Threat Detection	All Supported	Not Impacted	It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.	2018-01-10

Notes

For information regarding the impact on other Dell products refer to the following knowledge base articles:

Dell EMC: https://support.emc.com/kb/516117
Dell Client: http://www.dell.com/support/article/SLN308587
Dell Enterprise (Dell Servers, Storage, and Networking): http://www.dell.com/support/article/SLN308588
Dell EMC CPSD: http://support.vce.com/kA2A0000000PHXB

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles