Peplink Security Advisory: CVE-2017-5753, CVE-2017-5715 (Spectre); CVE-2017-5754 (Meltdown)


#1

On January 3rd, 2018, the details of CPU architecture flaws were reported by a number of security researchers. See the detailed info at: https://spectreattack.com or https://meltdownattack.com

The discovered security flaws are caused by “speculative execution”, a technique used by most modern processors to optimize performance. These flaws could lead to disclosure of sensitive data stored in the privileged memory (which is normally allocated to privileged processes or the operating system kernel) to a malicious party. The reported flaws were later acknowledged by respective CPU vendors in official statements.

We have evaluated our products and online services to assess the impact of this vulnerability.

Products

  • The only affected products are Balance with MediaFast 200, MediaFast 500 and MediaFast 750. A patch to fix the vulnerabilities will be released within firmware 7.1.0.
    Temporary solution is to switch off Docker and ContentHub functionality on affected devices.

  • All other Balance series besides the above are not affected.

  • MAX, FusionHub, Surf and AP series are not affected.

FAQ

Malicious Code
Most of our products are closed systems that do not allow customers to run custom code on the device -therefore most products are not vulnerable.

In order to exploit the vulnerabilities, an attacker must be able to locally run the code on an affected device. Device administrators of affected devices are recommended to review access rights of all parties with admin privileges until the vulnerability is patched.

Performance Impact
Performance impact (if any) on MediaFast Series will be shared after the firmware update release. We expect negligible impact on performance. Learn more in the following Security Blog: https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html

FusionHub and InControl2 Virtual Appliance on AWS, GCE and Azure
According to official statements from Amazon, Google and Microsoft, AWS, GCE and Azure platforms have already been successfully patched.

If you are using services of other cloud platform vendors, make sure their platforms are successfully patched.

Private Virtual Machines (VMware, Citrix XenServer, Oracle VirtualBox and Microsoft Hyper-V)
Make sure you are using the latest versions of hypervisor software (that include fixes to the above vulnerabilities) in your deployments.

Further Updates
This advisory may be updated if any additional information regarding the above vulnerabilities becomes available.


#9

#10