FireEye Notice for CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 (“Meltdown” and “Spectre” vulnerabilities)

Last Updated: April 10, 2018

On Jan. 3, 2018, vulnerabilities affecting CPUs used in some FireEye products and services were publicly announced. The CVE numbers are CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715; and the vulnerabilities are known informally as “Meltdown” and “Spectre”.

The vulnerabilities allow locally executing code to infer data values held in privileged kernel memory, or memory owned by other processes that was not intended to be readable. There are multiple mitigating factors, including some barriers to successful exploitation; however, to minimize risk, we are working to remediate these vulnerabilities as quickly as possible.

Windows administrators running HX agent and seeking information about updating Windows should refer to our FireEye Endpoint Security Agent blog post.

CVE-2017-5754 (“Meltdown”)

FireEye has analyzed the Meltdown vulnerability and its impact on our products. AMD believes this vulnerability does not impact their CPUs. Therefore, only FireEye’s physical appliance products that use Intel CPUs are affected. This is reflected in the following table. Note that in the case of virtual appliances (supported for NX, CM, HX, and FX), the presence of the vulnerability would be determined by the host environment’s physical CPU.

The table below shows the initial and current status of the Meltdown vulnerability on FireEye’s products and services:

Product or Service

Models

Initial Status

Current Status

NX (physical)

NX 1500, NX 2500, NX 2550, NX 3500, NX 4500, NX 5500, NX 7500, NX 10550

Affected, but not exploitable due to pre-existing security measures.

Remediated in version 8.1.1 released on 2/6/2018.

NX (physical)

All other physical models

Not affected.

N/A

NX sensor (virtual)

All virtual models

May be affected, depending on host environment; not exploitable due to pre-existing security measures.

Remediated in version 8.1.1 released on 2/6/2018.

VX

All

Affected, but not exploitable due to pre-existing security measures.

Remediated in version 8.1.1 released on 2/6/2018.

EX

EX 3500, EX 5500, EX 7640, EX 8500

Affected, but not exploitable due to pre-existing security measures.

Remediated in version 8.1.1 released on 2/6/2018.

EX

All other models

Not affected.

N/A

AX

AX 5500, AX 5550

Affected, but not exploitable due to pre-existing security measures.

Remediated in version 8.0.1 released on 2/21/2018.

AX

All other models

Not affected.

N/A

FX (physical)

All physical models

Not affected.

N/A

FX sensor (virtual)

All virtual models

May be affected, depending on host environment; not exploitable due to pre-existing security measures.

Remediated in version 8.0.1 released on 2/21/2018.

CM (physical)

CM 4500, CM 7500, CM 9500

Affected, but not exploitable due to pre-existing security measures.

Remediated in version 8.2.1 released on 2/6/2018.

CM (physical)

All other physical models

Not affected.

N/A

CM (virtual)

All virtual models

May be affected, depending on host environment; not exploitable due to pre-existing security measures.

Remediated in version 8.2.1 released on 2/6/2018.

HX (physical)

HX 4000, HX 4502

Affected, but not exploitable due to pre-existing security measures.

Remediated in version 4.0.4 released on 2/28/2018.    

HX (physical)

All other physical models

Not affected.

N/A

HX (virtual)

All virtual models

May be affected, depending on host environment; not exploitable due to pre-existing security measures.

Remediated in version 4.0.4 released on 2/28/2018.    

Cloud HX

All

Affected, but not exploitable due to pre-existing security measures.

Remediated in HX 4.0.4 released for cloud deployment on 4/2/2018.

IA

All

Affected, but not exploitable due to pre-existing security measures.

Remediated in version 1.3.3 released on 3/8/2018.

PX

All

Affected, but not exploitable due to pre-existing security measures.

Remediation testing identified significant performance issues that are being investigated.

Helix L&A / HMC

N/A

Affected, but not exploitable due to pre-existing security measures.

Remediated in version 2018.1 released on 4/9/2018.

TAP

N/A

Affected, but not exploitable due to pre-existing security measures.

Remediation testing in progress.

FIC

N/A

Affected, but not exploitable due to pre-existing security measures.

Remediation testing in progress.

Cloud MVX

N/A

Affected, but not exploitable due to pre-existing security measures.

Remediation testing in progress.

IAM

N/A

Affected, but not exploitable due to pre-existing security measures.

Remediation in GovCloud environment completed on 2/3/2018. Remediation in other environments completed on 2/17/2018. 

FSO

N/A

Affected, but not exploitable due to pre-existing security measures.

Remediated in version 4.2.2-2 released on 1/11/2018.

ETP

N/A

Affected, but not exploitable due to pre-existing security measures.

Remediation testing in progress.

Cloud Collector

N/A

Affected, but not exploitable due to pre-existing security measures.

Remediation completed on 2/7/2018.

DTI

N/A

Affected, but not exploitable due to pre-existing security measures.

Remediated on 1/19/2018.

AFO

N/A

Not affected.

N/A

SSL

N/A

Affected, but not exploitable due to pre-existing security measures.

Awaiting software update from vendor. After that is received, FireEye will perform testing prior to release of update.

FaaS

N/A

Affected, but not exploitable due to pre-existing security measures.

Remediation in progress.    

NTAP Sensor

All

Affected, but not exploitable due to pre-existing security measures.

Remediation completed on 3/14/2018.

MIR

4402

Not affected.

N/A

MIR

Rev E, Rev F, 4000

Affected, but not exploitable due to pre-existing security measures.

Upon further review, this issue does not pose a significant risk to this product. Not affected and no remediation planned.

MSO

4000

Affected, but not exploitable due to pre-existing security measures.

Upon further review, this issue does not pose a significant risk to this product. Not affected and no remediation planned.

CVE-2017-5753 and CVE-2017-5715 (“Spectre”) 

FireEye has analyzed the Spectre vulnerabilities and their impact on our products and services. Using the taxonomy from Google Project Zero, we refer to the two variants as Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715).

  • Spectre Variant 1 is not exploitable on any FireEye products due to pre-existing security measures.
  • Spectre Variant 2 is not exploitable on any FireEye products other than AX and EX appliances and the ETP service where pre-existing security measures mitigate the issue. Additional details on this issue can be found on our FireEye Customer Communities post for AX and EX and our FireEye Field Notice for ETP.

FireEye's planned response to Spectre is to deliver system software updates for all affected products. Even though it is not exploitable in any FireEye products, these updates will contain a full mitigation of Spectre Variant 1 as an additional security measure. The updates will also contain at least a partial mitigation of Spectre Variant 2 using multiple methods. In addition, CPU microcode updates may be required for a full mitigation of Spectre Variant 2. FireEye is working with our CPU vendors (Intel and AMD) to evaluate this situation. A delivery timeframe for these updates is not currently known due to the external dependency.

Next Steps 

For physical and virtual appliance products where an updated version has been released, consult the product documentation and the customer support portal for details on the release and how to update the appliance. Appliance updates are a full system image, which will require a reboot to apply.

Recommended Mitigations

  • Customers using FireEye AX and EX appliances may consider suspending the use of Live Mode (AX), and Controlled Live Mode (EX), for the time being. This may impact detection efficacy. On AX, Live Mode is selected as an option at the time of submission. On EX, to disable Controlled Live Mode in configuration, you may use "no email-analysis controlled-live-mode enable" in the CLI. This recommendation is due to Spectre, and therefore applies to all AX and EX models, even if noted above as “not affected” by Meltdown. Customers can find more information in our FireEye Customer Communities post.
  • Always keep the product version up to date.
  • When running a virtual appliance, always keep your host operating system and hypervisor up to date.
  • Limit network access to and from appliance management interfaces with firewalls (or other protective measures).
  • Only issue accounts to trusted administrators.
  • Utilize strong passwords or keys.
  • Restrict physical access to the appliance to trusted administrators.

Revision History

Date

Comments

1/5/2018

Initial post.

1/12/2018

Updated Live Mode recommendation, and clarified models to which it applies. Updated PX and IA analysis. Reflected that fixes are implemented and under test for many products and services. Listed AFO and SSL products. Removed mention of Guest Images, which are not a separate product.

1/24/2018

Separated current and initial status in Meltdown table. Added FaaS, MIR, and MSO products. Updated current status for some products.

1/31/2018

Updated current Meltdown status for Cloud Collector.

2/5/2018

Updated current Meltdown status for Cloud Collector, PX, and IA.

2/7/2018

Added NTAP Sensor product. Updated current Meltdown status for many products. Updated “Next Steps” paragraph.

2/9/2018

Updated current Meltdown status for Cloud Collector.

2/16/2018

Updated current Meltdown status for HX, AX, FX, PX, and IA.

2/23/2018

Updated current Meltdown status for AX, FX, and NTAP Sensor. Updated Spectre section.

2/23/2018

Updated current Meltdown status for AX, FX, and NTAP Sensor. Updated Spectre section.

3/2/2018

Updated current Meltdown status for HX.

3/12/2018

Updated current Meltdown status for IA.

3/16/2018

Updated current Meltdown status for NTAP Sensor.

4/10/2018

Updated current Meltdown status for Cloud HX, IAM, and Helix L&A / HMC.