PAN-SA-2018-0011 Information about L1 Terminal Fault findings

Palo Alto Networks Security Advisories / PAN-SA-2018-0011

PAN-SA-2018-0011 Information about L1 Terminal Fault findings

Urgency N/A

Severity 0 · NONE

Response Effort Not applicable

Recovery Not applicable

Value Density Not applicable

Attack Vector Not applicable

Attack Complexity Not applicable

Attack Requirements Not applicable

Automatable Not applicable

User Interaction Not applicable

Product Confidentiality NONE

Product Integrity NONE

Product Availability NONE

Privileges Required Not applicable

Subsequent Confidentiality NONE

Subsequent Integrity NONE

Subsequent Availability NONE

JSON CSAF

Published 2018-08-17

Updated 2018-08-17

Reference PAN-102947, PAN-SA-2018-0011

Discovered externally

Description

Palo Alto Networks is aware of recent vulnerability disclosures, known as L1 Terminal Fault, that affect modern CPU architectures. At this time, our findings show that these vulnerabilities pose no increased risk to Palo Alto Networks PAN-OS devices. (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646). This security advisory will be updated as more information becomes available or if there are changes in the impact of these vulnerabilities.

PAN-OS/Panorama platforms are not directly impacted by these vulnerabilities, as successful exploitation on PAN-OS devices requires an attacker to have already compromised the PAN-OS operating system. We treat any vulnerability that compromises PAN-OS to allow the execution of code as a critical vulnerability. Any such vulnerability would be urgently patched and made available in a PAN-OS maintenance update for all supported versions of PAN-OS. Because of the low risk of the L1 Terminal Fault vulnerability and the relatively high risk of known patch options, the risk and impact must be carefully considered and thoroughly understood.

Our customers’ security is our highest priority. We will continue to closely monitor the situation as it evolves, and to evaluate patching options available from our partner vendors as they become available. We will update this bulletin with updates regarding software patches or other mitigations as they become available. For more background, please see the following: https://researchcenter.paloaltonetworks.com/2018/01/understanding-affected-not-vulnerable/.

CVE	Summary
CVE-2018-3615	Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.
CVE-2018-3620	Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
CVE-2018-3646	Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.

Product Status

Versions	Affected	Unaffected
PAN-OS	None	All

Severity: NONE, Suggested Urgency: N/A

CVSS-B: 0.0 (CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N)

Weakness Type

CWE-200 Information Exposure

Solution

No action is required at this time. This bulletin will be updated as more information becomes available. We will continue to closely monitor the situation as it evolves, and to evaluate update options.

Workarounds and Mitigations

Customers looking to mitigate their exposure to L1 Terminal Fault on their endpoints are encouraged to consult with their equipment manufacturers and operating system vendors on steps to patch or mitigate exposure. We strongly advise customers to patch endpoints at high risk of exploitation. The Traps agent does not detect/prevent this specific type of CPU-level side-channel attack.