Reset Search
 

 

Article

VN 2018-001 (CVE-2017-5715, CVE-2017-5753 - Spectre)

« Go Back

Vulnerability Notice

 
Vulnerability Summary

"Spectre" is an attack that utilizes the speculative execution mechanism in modern processors to create a side-channel attack using the processor cache. Local execution of a crafted program is required to conduct the exploit.

The Spectre exploit has been demonstrated to communicate arbitrary kernel space memory contents to an unprivileged user process. However, the Spectre exploit may be utilized to create arbitrary illegal information flows between two cooperating subjects running crafted code.

Extreme products utilize a number of different processor architectures, some of which contain the Spectre vulnerability. Extreme products that do not provide a mechanism to execute third-party code are not exposed to Spectre exploits provided other unauthorized means are not employed to gain privileged access to the system to install code. Extreme products that offer a mechanism to execute third-party code are being assessed to determine the scope of exposure and available mitigations.

Extreme products deployed in virtual environments may be exposed to Spectre if the hosting environment is vulnerable.

Extreme continues to monitor and evaluate upstream vendor processor microcode and software updates. Patches or other mitigations may be deployed in future software updates.


See also: https://spectreattack.com/, https://www.kb.cert.org/vuls/id/584653
Products Potentially Affected
   
ProductSpectre Vulnerability PresentSpectre Vulnerability ExposureStatus
ExtremeSwitching
X150NoNoNo further action planned
X250NoNoNo further action planned
X350NoNoNo further action planned
X430NoNoNo further action planned
X440NoNoNo further action planned
X440-G2NoNoNo further action planned
X450a/eNoNoNo further action planned.
X450-G2NoNoNo further action planned
X460NoNoNo further action planned
X460-G2NoNoNo further action planned
X480NoNoNo further action planned
X620NoNoNo further action planned
X650NoNoNo further action planned
X670NoNoNo further action planned
X670-G2NoNoNo further action planned
X690YesYesUnder Investigation
X770NoNoNo further action planned
X870YesYesUnder Investigation
BD 8800 (MSM-G8X, MSM-48)NoNoNo further action planned.
BD 8800/8900 (MSM-48c, 8500-MSM24, 8900-MSM128, 8900-MSM96)YesLimited. User cannot execute externally crafted programs under normal operating conditions.No further action planned.
BD X8YesYesUnder Investigation
E4G-200NoNoNo further action planned
E4G-400NoNoNo further action planned
 
SecurestackNoNoNo further action planned
G-SeriesNoNoNo further action planned
A-SeriesNoNoNo further action planned
B-SeriesNoNoNo further action planned
C-SeriesNoNoNo further action planned
K-SeriesNoNoNo further action planned
S-SeriesNoNoNo further action planned
 
MLX/MLXe (including line cards)YesLimited. User cannot execute externally crafted programs under normal operating conditionsUnder Investigation
CES/CERYesLimited. User cannot execute externally crafted programs under normal operating conditionsUnder Investigation
VDXYesLimited. User cannot execute externally crafted programs under normal operating conditionsUnder Investigation
SLX9140/9240YesYesUnder investigation
SLX9540/9850 (including line cards)YesYesUnder investigation
 
VSP 4850GTS/GTS-PWR+Under investigationUnder investigationUnder investigation
VSP 4450GSX/GSX-PWR+/HTXYesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
VSP 7254 XSQ/XTQYesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
VSP 8284XSQYesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
VSP 8404/8404CYesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
VSP 8608YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
 
ERS2500YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ERS3500YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ERS3600YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ERS4500YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ERS4800YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ERS4900YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ERS5500YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ERS5600YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ERS5900YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
VSP7000YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
APLS (Avaya Private Label Switching)
DSG8064YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
DSG9032YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
Legacy Modular
ERS 8300YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ERS 8600YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ERS 8800YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
VSP 9010/9012YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ONA
Open Networking Adapter (for FE solution with vsp4k)YesLimited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ADSP hardware appliances (SV-1252/ SV-3652/ NX-9500/ NX-9600)YesLimited. User cannot execute externally crafted programs under normal operating conditionsUnder investigation
ADSP Virtual MachineExamine host environmentExamine host environmentCustomers recommended to harden host environment and install all security updates
Extreme Management SuiteYesYesUnder investigation
ExtremeLocationYesLimited. User cannot execute externally crafted programs under normal operating conditionsUnder Investigation
ExtremeWireless Limited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
ExtremeWireless WiNG Limited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
T5 PowerBroadband Limited. User cannot execute externally crafted programs under normal operating conditionsNo further action planned
 
ExtremeCloudYesLimited. User cannot execute externally crafted programs under normal operating conditionsUnder investigation
Fabric OrchestratorExamine host environmentExamine host environmentCustomers recommended to harden host environment and install all security updates
Visualization Performance and Fault Manager PlusExamine host environmentExamine host environmentCustomers recommended to harden host environment and install all security updates
Extreme AnalyticsExamine host environmentExamine host environmentCustomers recommended to harden host environment and install all security updates

Extreme products not explicitly identified above are still under investigation.
Impact Details
This vulnerability notice will be updated as additional information becomes available.
Repair Recommendations

Customers of Extreme products that provide a mechanism to execute third-party code are urged to exercise care in evaluating and authenticating any applications deployed on the Extreme platform.

Customers that deploy Extreme products in virtual environments are reminded to harden their virtual environment and install all security updates.

Customers are reminded to observe all security best practices in configuration of their systems to reduce exposure to unauthorized access.

Legal Notice
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255