PAN-SA-2019-0012 Information about Recent Intel Side Channel Vulnerabilities
Description
Palo Alto Networks has determined that WildFire Appliance (WF-500) and WildFire Cloud are affected by the recent vulnerability disclosures, known as Fallout, RIDL, and Zombieload. We are working to validate and implement software updates to address these issues. We will provide updates as they become available. (PAN-117746/CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091)
Successful exploitation of this issue may allow reads from a compromised sandbox VM (guest OS) to retrieve data from other VMs (another guest OS) or the PAN-OS operating system (host OS) as a result of breaching the separation between kernel and user address space. The analysis method utilized by the WildFire Appliance (WF-500) and WildFire Cloud helps to mitigate the impact of this issue. Each virtualized file analysis session is unique and each session is terminated and destroyed after analysis is complete. The uniqueness of each file analysis session coupled with the limited amount of time allowed to execute an attack within the environment limits the scope of impact that the attacker can have on the sandbox VM (guest OS) and the PAN-OS operating system (host OS).
PAN-OS and Panorama platforms are not directly impacted by these vulnerabilities because successful exploitation on PAN-OS devices requires an attacker to have already compromised the PAN-OS operating system. We will continue to monitor the situation and evaluate the patching options supplied by our partner vendors as they become available.
We will continue to provide updates regarding software patches and/or other mitigations as they become available. For more background, please see the following https://researchcenter.paloaltonetworks.com/2018/01/understanding-affected-not-vulnerable/
This issue affects WF-500 (WildFire Appliance) running any version of appliance software: PAN-OS 9.0, PAN-OS 8.1, PAN-OS 8.0 and PAN-OS 7.1.
WildFire Cloud is affected by this issue.
The Traps agent does not detect/prevent this specific type of CPU-level side-channel attack.
| CVE | CVSS | Summary |
|---|---|---|
| CVE-2018-12126 | 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) | Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf |
| CVE-2018-12127 | 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) | Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf |
| CVE-2018-12130 | 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) | Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf |
| CVE-2019-11091 | 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) | Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS | None | all |
| WildFire Appliance | all | |
| WildFire Cloud | yes |
Severity: MEDIUM
CVSSv3.1 Base Score: 5.6 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
Weakness Type
Solution
We will provide updates as more information becomes available. The security and stability of our products remain a top priority and we will continue to monitor this situation.