On Thursday 04 January 2018 CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754 were published in response to research from Google’s Project Zero, among others, related to side-channel analysis of speculative execution on modern computer processors.
These attacks have been named Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715 and CVE-2017-5753) and have their own namesake website, at https://meltdownattack.com/ and at https://spectreattack.com/
These hardware vulnerabilities can be exploited by local programs on a given host processor to get hold of secrets stored in the memory of other running programs. All Aerohive products are closed systems, not allowing the installation of third-party applications. Because of this, Aerohive believes that these vulnerabilities cannot be exploited on Aerohive products in their normal configurations.
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.
Specific details on these can be retrieved from the namesake website https://meltdownattack.com/ and https://spectreattack.com
May allow unauthorized disclosure of information.
As always, Aerohive recommends that you follow best security practices, including reduction of possible attack surface areas by use of physical access control methods and network methods such as network-level ACLs to restrict access to sensitive equipment.
Although Aerohive cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Aerohive does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Aerohive may update this advisory.
A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory will be posted on Aerohive’s website at:
https://www.aerohive.com/support/security-center/
Future updates of this advisory, if any, will be placed on Aerohive’s worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
REVISION HISTORY
Revision 1.0 / 2018-01-05 INITIAL PUBLICATION
AEROHIVE PSIRT SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Aerohive products, obtaining assistance with security incidents is available at:
https://www.aerohive.com/support/security-center/
For reporting *NEW* Aerohive security issues, email can be sent to security(at)aerohive.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at:
https://www.aerohive.com/support/security-center/
© Copyright 2017 Aerohive, Inc.
This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information.