The purpose of this Critical Alert is to provide guidance for CA Privileged Access Manager customersin relation to the highly publicized vulnerabilities, “Meltdown” and “Spectre”. These attacks take advantage of a CPU performance feature called speculative execution and together, these two vulnerabilities affect all modern computing devices and operating systems.
Meltdown ( CVE-2017-5754) was discovered simultaneously by researchers at Google, Graz University and Cyberus Technology. The exploit enables an unprivileged attacker can use these CPU flaws to bypass conventional kernel memory security restrictions in order to gain read access to privileged memory that would otherwise be inaccessible. Spectre is two different exploitation techniques ; CVE-2017-5753 and CVE-2017-5715. These techniques potentially make items in kernel memory available to user processes by taking advantage of a delay in the time it may take the CPU to check the validity of a memory access call. More information can be found here; https://meltdownattack.com
IMPACT TO CA PAM
CA PAM uses a defense in depth approach and is deployed as a hardened encrypted appliance so it is not possible to load and execute malicious programs on the hardware device (304L) nor in the virtual formats (VMware OVF and Amazon EC2 AMI). This execution isolation provides mitigations for Meltdown. For Spectre, it is possible to traverse across virtual machines running on the same host.
CA PAM also utilizes a number of peripheral agents (CA App2App, Socket Filter Agents, CA Win-Proxy). These agents inherit the security environment of the OS and device they are deployed on so it is strongly suggested that customers follow the necessary steps to update these target systems. As always, CA encourages customers to migrate to the latest release of CA PAM and deploy the latest patches and updates including peripheral agents.
As more information becomes available from third-party vendors, CA PAM will issue additional notifications to advise customers of potential resolutions and next steps for updating any CA components if necessary.
WORKAROUND: There is no known workaround for this issue.
If you have any questions about this Critical Alert, please contact CA Support.