FireEye Notice for CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 (“Meltdown” and “Spectre” vulnerabilities)

On Jan. 3, 2018, vulnerabilities affecting CPUs used in some FireEye products and services were publicly announced. The CVE numbers are CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715; and the vulnerabilities are known informally as “Meltdown” and “Spectre”.

The vulnerabilities allow locally executing code to infer data values held in privileged kernel memory, or memory owned by other processes that was not intended to be readable. There are multiple mitigating factors, including some barriers to successful exploitation; however, to minimize risk, we are working to remediate these vulnerabilities as quickly as possible.

Windows administrators running HX agent and seeking information about updating Windows should refer to our FireEye Endpoint Security Agent blog post.

CVE-2017-5753 and CVE-2017-5715 (“Spectre”) 

Analysis of the Spectre vulnerabilities is in progress. Currently published attacks for CVE-2017-5715, when mounted from within the MVX analysis environment, are not expected to be successful. Nevertheless, customers using FireEye AX and EX appliances may consider suspending the use of Live Mode (AX), and Controlled Live Mode (EX), for the time being. This may impact detection efficacy.

CVE-2017-5754 (“Meltdown”)

Analysis of the Meltdown vulnerability is in progress. While additional information is still coming to light, this vulnerability is not thought to impact AMD CPUs. Of FireEye’s physical appliance products, only those that are Intel-based are thought to be affected. This is reflected in the following table. Note that in the case of virtual appliances (supported for NX, CM, HX, and FX), the vulnerability would be determined by the host environment.

Impact and status of Meltdown vulnerability on FireEye’s products and services:

Product or Service

Models

Status

NX (physical)

NX 1500, NX 2500, NX 2550, NX 3500, NX 4500, NX 5500, NX 7500, NX 10550

Affected, but not exploitable due to pre-existing security measures. Remediation testing in progress.

NX (physical)

All other physical models

Not affected.

NX sensor (virtual)

All virtual models

May be affected, depending on host environment; not exploitable due to pre-existing security measures.

VX

All

Affected, but not exploitable due to pre-existing security measures. Remediation testing in progress.

EX

EX 3500, EX 5500, EX 7640, EX 8500

Affected, but not exploitable due to pre-existing security measures. Remediation testing in progress.

EX

All other models

Not affected.

AX

AX 5500, AX 5550

Affected, but not exploitable due to pre-existing security measures. Remediation testing in progress.

AX

All other models

Not affected.

FX (physical)

All physical models

Not affected.

FX sensor (virtual)

All virtual models

May be affected, depending on host environment; not exploitable due to pre-existing security measures.

CM (physical)

CM 4500, CM 7500, CM 9500

Affected, but not exploitable due to pre-existing security measures. Remediation testing in progress.

CM (physical)

All other physical models

Not affected.

CM (virtual)

All virtual models

May be affected, depending on host environment; not exploitable due to pre-existing security measures.

HX (physical)

HX 4000, HX 4502

Affected, but not exploitable due to pre-existing security measures. Remediation testing in progress.

HX (physical)

All other physical models

Not affected.

HX (virtual)

All virtual models

May be affected, depending on host environment; not exploitable due to pre-existing security measures.

IA

All

Affected, but not exploitable due to pre-existing security measures. Remediation testing in progress.

PX

All

Affected, but not exploitable due to pre-existing security measures. Remediation testing in progress.

Helix

N/A

Affected; Remediation testing in progress.

TAP

N/A

Affected; Remediation testing in progress.

FIC

N/A

Affected; Remediation testing in progress.

Cloud MVX

N/A

Affected; Remediation testing in progress.

IAM

N/A

Affected; Remediation testing in progress.

FSO

N/A

Affected; Remediation testing in progress.

ETP

N/A

Affected; Remediation testing in progress.

Cloud Collector

N/A

Affected; Remediation testing in progress.

DTI

N/A

Affected; Remediation testing in progress.

AFO

N/A

Analysis in progress.

SSL

N/A

Analysis in progress.

Next Steps 

The development and test of remediations is actively in progress. For physical and virtual appliance products, this will include a full system image update, which will require a reboot to apply. We continue to work with the broader community to protect our customers. We anticipate an update to this status by Jan. 19.

Recommended Mitigations

  • Customers using FireEye AX and EX appliances may consider suspending the use of Live Mode (AX), and Controlled Live Mode (EX), for the time being. This may impact detection efficacy. On AX, Live Mode is selected as an option at the time of submission. On EX, to disable Controlled Live Mode in configuration, you may use "no email-analysis controlled-live-mode enable" in the CLI. This recommendation is due to Spectre, and therefore applies to all AX and EX models, even if noted above as “not affected” by Meltdown. Customers can find more information in our FireEye Customer Communities post.
  • Always keep the product version up to date.
  • When running a virtual appliance, always keep your host operating system and hypervisor up to date.
  • Limit network access to and from appliance management interfaces with firewalls (or other protective measures).
  • Only issue accounts to trusted administrators.
  • Utilize strong passwords or keys.
  • Restrict physical access to the appliance to trusted administrators.

Revision History

Date

Comments

1/5/2018

Initial revision

1/12/2018

Softened Live Mode recommendation, and clarified models to which it applies. Updated PX and IA analysis. Reflected that fixes are implemented and under test for many products and services. Listed AFO and SSL products. Removed mention of Guest Images, which are not a separate product.