Is Netreo affected by the Intel Meltdown/Spectre kernel memory vulnerabilities?

Updated: 8 January 2018

In January 2018, a vulnerability was discovered in all versions of the Intel X86-64 processor architecture that can cause arbitrary memory leakage, possibly including code execution or the dissemination of critical protected information (such as passwords) contained in memory. These are referred to as the Meltdown and Spectre vulnerabilities, formally known as CVE-2017-5753, CVE-2017-5754 and CVE-2017-5715.

Netreo has evaluated this vulnerability and determined that our products are NOT vulnerable to these exploits, and that they pose no increased risk to Netreo appliances. Although Netreo hardware appliances use Intel processors which are affected by this issue, Netreo does not permit users to upload or execute code on the system and provides no command line (CLI) shell access to users, making it effectively impossible to exploit this vulnerability.

Exploiting these vulnerabilities would require an attacker to have already established local arbitrary code execution; in other words, the system would need to already be successfully exploited. An attacker that has gained the ability to execute arbitrary code on a Netreo appliance will not gain any significant additional capability through exploitation of Meltdown or Spectre attacks on the device.

In practice, the risk of this type of exploit for Netreo customers is very low anyway, as Netreo is typically deployed behind the customer firewall and is not publicly accessible to outside attackers. Netreo also includes intrusion prevention technology to dynamically respond to attempts to gain unauthorized access. Please see theNetreo Appliance Security page for more information.

If you have any concerns, please feel free to contact Netreo Support.