Christo.1

Official announcement on Meldown/Spectre

Blog Post created by Christo.1 Employee on Jan 12, 2018
January 11, 2018
 
Dear CA Customer
 
The purpose of this Critical Alert is to provide guidance for CA Privileged Access Manager customers in relation to the highly publicized vulnerabilities, “Meltdown” and “Spectre”. These attacks take advantage of a CPU performance feature called speculative execution and together, these two vulnerabilities affect all modern computing devices and operating systems.   
 
BACKGROUND: 
Meltdown ( CVE-2017-5754)  was discovered simultaneously by researchers at Google, Graz University and Cyberus Technology.  The exploit enables an unprivileged attacker can use these CPU flaws to bypass conventional kernel memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. Spectre is two different exploitation techniques ; CVE-2017-5753 and CVE-2017-5715. These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call.  More information can be found here;  https://meltdownattack.com
 
IMPACT TO CA PAM
CA PAM uses a defense in depth approach and is deployed as a hardened encrypted appliance so it is not possible to load and execute malicious programs on the hardware device (304L) nor in the virtual formats (VMware OVF and Amazon EC2 AMI).  This execution isolation provides mitigations for Meltdown. For Spectre, it is possible to traverse across virtual machines running on the same host.
 
Customers with CA PAM as an OVF must ensure that their virtualization environments have applied the security fixes provided by VMware (ref: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html ). For CA PAM Amazon EC AMI, this reference notes that Amazon EC2 instances are “protected from all known instance-to-instance concerns of the CVEs previously listed”  https://aws.amazon.com/security/security-bulletins/AWS-2018-013
 
CA continues to monitor and investigate Spectre attack as described by Microsoft Vulnerability Research where browsers’ JavaScript engines have demonstrated that code on a malicious web page could read data from other web sites (violating the same-origin policy) or private data from the browser itself.  Microsoft issued an update to IE11 as part of its “Patch Tuesday” (January 9th, 2018). 
 
CA PAM also utilizes a number of peripheral agents (CA App2App, Socket Filter Agents, CA Win-Proxy).  These agents inherit the security environment of the OS and device they are deployed on so it is strongly suggested that customers follow the necessary steps to update these target systems. As always, CA encourages customers to migrate to the latest release of CA PAM and deploy the latest patches and updates including peripheral agents.
 
As more information becomes available from third-party vendors, CA PAM will issue additional notifications to advise customers of potential resolutions and next steps for updating any CA components if necessary.
 
 
WORKAROUND:
There is no known workaround for this issue.
 
QUESTIONS:
If you have any questions about this Critical Alert, please contact CA Support.      
 
Thank you,
CA Support Team

Outcomes