VN 2018-002 (CVE-2017-5754 - Meltdown)

"Meltdown" is an attack that exploits a flaw in the speculative execution implementation of many widely used processors to allow an unprivileged user program to examine arbitrary physical memory addresses.

In its most widely publicized form, Meltdown is demonstrated to read arbitrary kernel space memory from a user process through local execution of a crafted user space program that targets kernel memory addresses known to contain desired data.

Extreme products utilize a number of different processor architectures, some of which contain the Meltdown vulnerability. Currently demonstrated Meltdown exploits require execution of crafted code installed on the target device. Extreme products that do not provide a mechanism to execute third-party code are not exposed to Meltdown exploits provided other unauthorized means are not employed to gain privileged access to the system to install code.

While it is theoretically possible to conduct an attack strictly via network access, the challenges that must be overcome to identify the required code patterns and induce the required behavior to conduct an impactful exploit in a production environment are sufficiently high that the network-based exploit is not considered practicable at this time.

Extreme products deployed in virtual environments may be exposed to Meltdown if the hosting environment is vulnerable.

Extreme continues to monitor and evaluate upstream vendor processor microcode and software updates. Patches or other mitigations may be deployed in future software updates.

 

Product	Meltdown Vulnerability Present	Meltdown Vulnerability Exposure	Status
ExtremeSwitching
X150	No	No	No further action planned
X250	No	No	No further action planned
X350	No	No	No further action planned
X430	No	No	No further action planned
X440	No	No	No further action planned
X440-G2	No	No	No further action planned
X450a/e	No	No	No further action planned
X450-G2	No	No	No further action planned
X460	No	No	No further action planned
X460-G2	No	No	No further action planned
X480	No	No	No further action planned
X620	No	No	No further action planned
X650	No	No	No further action planned
X670	No	No	No further action planned
X670-G2	No	No	No further action planned
X690	Yes	Yes	Under Investigation. Further action pending.(1)
X770	No	No	No further action planned
X870	Yes	Yes	Under Investigation. Further action pending.(1)
BD 8800/8900	No	No	No further action planned
BD X8	Yes	Yes	Under Investigation. Further action pending.(1)
E4G-200	No	No	No further action planned
E4G-400	No	No	No further action planned
Securestack	No	No	No further action planned
G-Series	No	No	No further action planned
A-Series	No	No	No further action planned
B-Series	No	No	No further action planned
C-Series	No	No	No further action planned
K-Series	No	No	No further action planned
S-Series	No	No	No further action planned
RX	No	No	No further action planned
XMR	No	No	No further action planned
MLX/MLXe (including line cards)	No	No	No further action planned
CES/CER	No	No	No further action planned
VDX	No	No	No further action planned
SLX9140/9240	Yes	Yes	Under investigation. Further action pending.(2)
SLX9540/9850 (including line cards)	Yes	Yes	Under investigation. Further action pending.(2)
VSP 4850GTS/GTS-PWR+	No	No	No further action planned
VSP 4450GSX/GSX-PWR+/HTX	No	No	No further action planned
VSP 7254 XSQ/XTQ	No	No	No further action planned
VSP 8284XSQ	No	No	No further action planned
VSP 8404/8404C	No	No	No further action planned
VSP 8608	No	No	No further action planned
ERS2500	No	No	No further action planned
ERS3500	No	No	No further action planned
ERS3600	No	No	No further action planned
ERS4500	No	No	No further action planned
ERS4800	No	No	No further action planned
ERS4900	No	No	No further action planned
ERS5500	No	No	No further action planned
ERS5600	No	No	No further action planned
ERS5900	No	No	No further action planned
VSP7000	No	No	No further action planned
APLS (Avaya Private Label Switching)
DSG8064	Yes	No. User cannot execute externally crafted programs under normal operating conditions.	No further action planned
DSG9032	Yes	No. User cannot execute externally crafted programs under normal operating conditions.	No further action planned
Legacy Modular
ERS 8300	No	No	No further action planned
ERS 8600	No	No	No further action planned
ERS 8800	No	No	No further action planned
VSP 9010/9012	No	No	No further action planned
ONA
Open Networking Adapter (for FE solution with vsp4k)	No	No	No further action planned
ADSP hardware appliances (SV-1252/ SV-3652/ NX-9500/ NX-9600)	Yes	No. User cannot execute externally crafted programs under normal operating conditions	Under investigation
ADSP Virtual Machine	Examine host environment	Examine host environment	Customers recommended to harden host environment and install all security updates
Extreme Management Suite	Yes	Yes	Patches targeted for maintenance releases 7.1.x, 8.0.x, 8.1.x. Release dates pending.
ExtremeLocation	Yes	No. User cannot execute externally crafted programs under normal operating conditions	Under Investigation
ExtremeWireless		No. User cannot execute externally crafted programs under normal operating conditions	No further action planned
ExtremeWireless WiNG		No. User cannot execute externally crafted programs under normal operating conditions	No further action planned
T5 PowerBroadband		No. User cannot execute externally crafted programs under normal operating conditions	No further action planned
ExtremeCloud	Yes	No. User cannot execute externally crafted programs under normal operating conditions	Under investigation
Fabric Orchestrator	Examine host environment	Examine host environment	Customers recommended to harden host environment and install all security updates
Visualization Performance and Fault Manager Plus	Examine host environment	Examine host environment	Customers recommended to harden host environment and install all security updates
Extreme Analytics	Examine host environment	Examine host environment	Customers recommended to harden host environment and install all security updates

Extreme products not explicitly identified above are under investigation.

⁽¹⁾ Extreme is evaluating the stability and performance impacts of possible patches to the processor microcode and OS kernel. A final remediation plan is pending completion of testing. Due to the nature and scope of changes required to implement available patches, there are currently no plans to backport Spectre/Meltdown remediations to currently shipping releases. Customers are advised to implement the suggested mitigations to control import and execution of user scripts.

⁽²⁾Extreme is evaluating the stability and performance impacts of possible patches to the processor microcode. Extreme is also exploring methods for disabling user script execution. A final remediation plan is pending completion of testing.

Currently demonstrated Meltdown exploits require execution of crafted code installed on the target device. While the circumstances for using the capability are rare, ExtremeSwitching and Data Center platforms support the import and execution of user scripts via local access only.

Exposure to impactful Meltdown exploits may be reduced to a negligible level by strictly controlling imported scripts or altogether disabling the ability to execute imported scripts.

Mitigations customers may implement immediately focus on control of imported scripts:

• Review all physical and procedural controls for access to impacted systems.
• Review all firewall and other network access control equipment configuration to restrict network access to impacted devices.
• Review impacted devices to ensure compliance with best security practices including changing default passwords, enforcement of suitably strong passwords for all user accounts, and deleting unused user accounts.
• Review processes for examination, approval, and import of user scripts.
• TACACS+ per-command authorization may be configured to block access to the "load script" and "run script" commands (EXOS).
• User script execution may be disabled in EXOS by placing the system in FIPS mode. FIPS mode imposes various restrictions on the operation of the system. Please review FIPS mode operation to determine if it is appropriate.

Extreme is exploring methods for disabling user script execution.

Customers of Extreme products that provide a mechanism to execute third-party code are urged to exercise care in evaluating and authenticating any applications deployed on the Extreme platform.

Customers that deploy Extreme products in virtual environments are reminded to harden their virtual environment and install all security updates.

Customers are reminded to observe all security best practices in configuration of their systems to reduce exposure to unauthorized access.

This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.