× 2018-01 Out of Cycle Security Bulletin: Meltdown & Spectre: CPU Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method

Product Affected:

See Problem and Solution sections below.

Problem:

Modern microprocessors that implement speculative execution of instructions are susceptible to a new class of cache timing attacks being called "Meltdown" and "Spectre".  These vulnerabilities could allow an attacker to read privileged memory which may contain sensitive information such as passwords or encryption keys.

There are three known variants of the issue:

• Variant 1: bounds check bypass (CVE-2017-5753)
• Variant 2: branch target injection (CVE-2017-5715)
• Variant 3: rogue data cache load (CVE-2017-5754)

Almost all modern CPUs, including the ones in most Juniper products, use speculative execution and are potentially susceptible to these types of attacks. However, it is important to note that in order to exploit this weakness and gain access to restricted memory, the attack requires executing crafted code on the device. Many networking devices from Juniper can only execute code signed by Juniper.  In these devices there is no exposure to privileged memory being read by an unauthorized user.

Deployments where users can execute arbitrary code, including many virtualized, container, Flex, and application products are potentially impacted.  Customers should follow standard BCPs to limit exposure and apply fixes as they become available.
 

Solution:

Product Status:

Juniper SIRT is actively investigating the impact on Juniper Networks products and services.

The following products may be impacted if deployed in a way that allows unsigned code execution:

• Junos OS based platforms
• Junos Space appliance
• Qfabric Director
• CTP Series
• NSMXpress/NSM3000/NSM4000 appliances 
• STRM/Juniper Secure Analytics (JSA) appliances
• SRC/C Series

The following products are not impacted:

• ScreenOS / Netscreen platforms
• JUNOSe / E Series platforms
• BTI platforms

Juniper is continuing to investigate our product portfolio for affected products that are not mentioned above. As new information becomes available this document will be updated.

Where possible, Juniper will be developing software fixes that prevent these type of attacks.  This JSA will be updated as those fixes become available for Juniper devices.
 

Workaround:

In order to mitigate this vulnerability, only run software from trusted sources.  It is also recommended to limit the access to critical infrastructure networking equipment to only trusted administrators from trusted administrative networks or hosts.
 

Modification History:

2018-01-05: Initial publication

Related Links:

• Intel: Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method

• Intel Responds to Security Research Findings

• Intel: Facts about The New Security Research Findings and Intel Products

• Project Zero: Reading privileged memory with a side-channel

• KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process

• KB16765: In which releases are vulnerabilities fixed?

• KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories

• Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team

CVSS Score:

4.1 (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)

Risk Level:

Low

Risk Assessment:

In the case of Junos OS, in order to exploit this vulnerability an attacker must have a local authenticated privileged (admin) and needs to bypass the image validation checking.

Juniper : Telco Cloud

A Telco cloud is:

                  

Automated—Built as a series of virtualized objects, a Telco cloud is automated and

orchestrated to deliver network functions and capacity on demand. Rather than

the typical three-plus months required to order, install, and configure a traditional

network appliance, a Telco cloud can instantiate virtualized network elements on

industry-standard, carrier-grade compute platforms in a matter of minutes.

Scalable—A Telco cloud supports scale-up with some of the highest performance

routing and switching platforms available today, seamlessly combined with virtualized

network scalability that leverages cloud principles of scale-up/scale-out to adaptively

deliver capacity on demand. A Telco cloud can also scale down by employing smaller,

often virtualized network objects that can be pushed closer to the subscriber edge to

improve network responsiveness and deliver an improved customer experience.

Flexible—Traditionally, installing a new network function—particularly to generate

new revenues—faced a restrictive CapEx/OpEx/time hurdle, limiting new functionality.

With a Telco cloud, the network itself becomes a flexible service creation platform

that enables new capabilities to be instantiated as virtual objects into the network

with cloud network automation—all of which can be evaluated in a matter of minutes

and at a fraction of the cost and complexity of previous manual methods.