Palo Alto Networks Security Advisories / PAN-SA-2018-0011

PAN-SA-2018-0011 Information about L1 Terminal Fault findings

047910
Severity 0 · NONE
Attack Vector LOCAL
Attack Complexity HIGH
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact NONE

Description

Palo Alto Networks is aware of recent vulnerability disclosures, known as L1 Terminal Fault,

that affect modern CPU architectures. At this time, our findings show that these vulnerabilities pose no increased risk to Palo Alto Networks PAN-OS devices. (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646). This security advisory will be updated as more information becomes available or if there are changes in the impact of these vulnerabilities.

PAN-OS/Panorama platforms are not directly impacted by these vulnerabilities, as successful exploitation on PAN-OS devices requires an attacker to have already compromised the PAN-OS operating system. We treat any vulnerability that compromises PAN-OS to allow the execution of code as a critical vulnerability. Any such vulnerability would be urgently patched and made available in a PAN-OS maintenance update for all supported versions of PAN-OS. Because of the low risk of the L1 Terminal Fault vulnerability and the relatively high risk of known patch options, the risk and impact must be carefully considered and thoroughly understood.

Our customers’ security is our highest priority. We will continue to closely monitor the situation as it evolves, and to evaluate patching options available from our partner vendors as they become available. We will update this bulletin with updates regarding software patches or other mitigations as they become available. For more background, please see the following: https://researchcenter.paloaltonetworks.com/2018/01/understanding-affected-not-vulnerable/.

CVECVSSSummary
CVE-2018-3615n/a Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.
CVE-2018-3620n/a Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
CVE-2018-3646n/a Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.

Product Status

VersionsAffectedUnaffected
PAN-OS Noneall

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N)

Weakness Type

CWE-200 Information Exposure

Solution

No action is required at this time. This bulletin will be updated as more information becomes available. We will continue to closely monitor the situation as it evolves, and to evaluate update options.

Workarounds and Mitigations

Customers looking to mitigate their exposure to L1 Terminal Fault on their endpoints are encouraged to consult with their equipment manufacturers and operating system vendors on steps to patch or mitigate exposure. We strongly advise customers to patch endpoints at high risk of exploitation. The Traps agent does not detect/prevent this specific type of CPU-level side-channel attack.

© 2020 Palo Alto Networks, Inc. All rights reserved.