Security Advisory – Meltdown and Spectre
Recent disclosure of the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) vulnerability affecting modern processors triggers many questions regarding the related impact on EfficientIP products. These exploits technically permit any program to read the entire memory of a computer resulting in potential confidential information leak. However, these exploits require the execution of specially crafted payloads on the targeted host.
SOLIDserverTM security design does not permit non-administrator users to execute arbitrary code on SOLIDserver appliances. There is currently no identified vulnerability allowing remote code execution on the operating system for taking advantage of the Meltdown or Spectre exploits. As a result the exposure is strictly limited to SOLIDserver administrators and there is no risk of DOS using these exploits directly.
However, in virtual environments SOLIDserver shares the physical memory of the host with other virtual machines, so exposure is increased as a malicious payload can be executed on a third-party virtual machine to access physical host memory and so on SOLIDserver memory data. As a result:
- If you are running SOLIDserver on a public cloud provider, it’s very likely that they are currently deploying proper fixes on their infrastructure and SOLIDserver exposure is therefore limited. We highly encourage you to contact your cloud provider to estimate your exposure.
- If you are running SOLIDserver on a private cloud environment, please refer to your hypervisor provider advisories to apply proper patches.
EfficientIP is currently working on a fix for its SOLIDserver products and will release a security patch as soon as possible. For the time being, we recommend you enforce security best practices and limit access to critical infrastructure networking equipment to only trusted administrators from trusted administrative networks or hosts.