Peplink Security Advisory: CVE-2017-5753, CVE-2017-5715 (Spectre); CVE-2017-5754 (Meltdown)

On January 3rd, 2018, the details of CPU architecture flaws were reported by a number of security researchers. See the detailed info at: https://spectreattack.com or https://meltdownattack.com

The discovered security flaws are caused by “speculative execution”, a technique used by most modern processors to optimize performance. These flaws could lead to disclosure of sensitive data stored in the privileged memory (which is normally allocated to privileged processes or the operating system kernel) to a malicious party. The reported flaws were later acknowledged by respective CPU vendors in official statements.

We have evaluated our products and online services to assess the impact of this vulnerability.

Products

  • The only affected products are Balance with MediaFast 200, MediaFast 500 and MediaFast 750. A patch to fix the vulnerabilities will be released within firmware 7.1.0.
    Temporary solution is to switch off Docker and ContentHub functionality on affected devices.

  • All other Balance series besides the above are not affected.

  • MAX, FusionHub, Surf and AP series are not affected.

FAQ

Malicious Code
Most of our products are closed systems that do not allow customers to run custom code on the device -therefore most products are not vulnerable.

In order to exploit the vulnerabilities, an attacker must be able to locally run the code on an affected device. Device administrators of affected devices are recommended to review access rights of all parties with admin privileges until the vulnerability is patched.

Performance Impact
Performance impact (if any) on MediaFast Series will be shared after the firmware update release. We expect negligible impact on performance. Learn more in the following Security Blog: https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html

FusionHub and InControl2 Virtual Appliance on AWS, GCE and Azure
According to official statements from Amazon, Google and Microsoft, AWS, GCE and Azure platforms have already been successfully patched.

If you are using services of other cloud platform vendors, make sure their platforms are successfully patched.

Private Virtual Machines (VMware, Citrix XenServer, Oracle VirtualBox and Microsoft Hyper-V)
Make sure you are using the latest versions of hypervisor software (that include fixes to the above vulnerabilities) in your deployments.

Further Updates
This advisory may be updated if any additional information regarding the above vulnerabilities becomes available.

1 Like

This seems to be the last published Security Advisory. Is the software that good, or do Security Advisories go somewhere else now?

-Michele

1 Like

@Keith this was a serious question.

Do you not publish security advisories anymore? Are they published elsewhere? I track the security status of my equipment, and I find it odd that the last advisory was published in 2018. My experience is networking equipment vendors publish multiple advisories a month.

-Michele

Yes, this is a serious topic. Peplink will continue to issue advisories as the need arises.

Actually there is one active security advisory in the works and it will be published soon.

1 Like

Thanks Keith. I’m glad to hear that Peplink continues to monitor for security issues. Is this forum the appropriate place to watch for those advisories?

Yes, this is the place. Advisories will be published here.

1 Like