000035890 - Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on RSA products

Document created by RSA Customer Support Employee on Jan 4, 2018Last modified by RSA Customer Support Employee on Sep 11, 2018
Version 17Show Document
  • View in full screen mode

Article Content

Article Number000035890
CVE IDCVE-2017-5715, CVE-2017-5753, CVE-2017-5754
Article SummaryRSA is aware of the new side-channel analysis attacks (also known as Meltdown and Spectre) affecting many modern microprocessors that were published by a team of security researchers on January 3, 2018. An unprivileged attacker with local user access to the system could potentially leverage these attacks to read privileged memory data that would otherwise be inaccessible.

  • Variant 1 (CVE-2017-5753, Spectre): Bounds check bypass
  • Variant 2 (CVE-2017-5715, also Spectre): Branch target injection
  • Variant 3 (CVE-2017-5754, Meltdown): Rogue data cache load

RSA has completed investigation of the impact of these issues on our products. This article will be updated with remediation steps as they become available for impacted products.

RSA recommends customers to follow security best practices for malware protection in general to protect against possible exploitation of these analysis methods until any future updates can be applied.
Link to Advisories
Resolution 
RSA Product NameVersionsImpacted?DetailsLast Updated
3D Secure / Adaptive Authentication eCommerce Not ImpactedDirect access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.2018-01-17
Access Manager6.2Not ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-08
Adaptive Authentication Cloud Impacted - RemediatedWe have confirmed that our third party cloud platform provider has remediated the issue at the platform level. This remediation fully addresses the risk and requires no customer action. Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk at the OS level to customer data hosted within the environment, and OS level patches will be handled through the standard RSA vulnerability remediation process.2018-01-17
Adaptive Authentication Hosted Not ImpactedDirect access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.2018-01-17
Adaptive Authentication On-PremAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-10
Archer Hosted (US) Impacted - RemediatedWe have confirmed that our third party cloud platform provider has remediated the issue at the platform level. This remediation fully addresses the risk and requires no customer action. Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk at the OS level to customer data hosted within the environment, and OS level patches will be handled through the standard RSA vulnerability remediation process.2018-01-17
Archer Hosted (EMEA) Not ImpactedDirect access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.2018-01-17
Archer PlatformAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-08
Archer Security Operations Management (SecOps)All SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-08
Archer Vulnerability & Risk Manager (VRM) - Hardware ApplianceAll SupportedNot ImpactedAs a single, root-user-only appliance, the reported issues do not introduce any additional security risk to a customer's environment because a root level user already has full access to all information on the system. Customers should follow the recommended best practices to protect the access of highly privileged accounts. For guidance on updating your RSA Archer VRM Hardware Appliance with the latest OS and BIOS firmware updates, refer to KB article 000036320.2018-05-15
Archer Vulnerability & Risk Manager (VRM) - Virtual ApplianceAll SupportedNot ImpactedIt is a single-user, root-user-only virtual appliance. The reported issues do not introduce any additional security risk to a customer's environment for "in-guest" attacks, provided the recommended best practices to protect the access of highly privileged accounts are followed. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks. For guidance on applying OS patches to your RSA Archer VRM Virtual Appliance, refer to KB article 000036184.2018-05-15
Authentication Manager (Hardware Appliance - Dell PowerEdge & Intel platforms)All SupportedNot ImpactedIt is a single-user, root-user-only appliance. The reported issues do not introduce any additional security risk to a customer's environment, provided the recommended best practices to protect the access of highly privileged accounts are followed.2018-01-10
Authentication Manager (Virtual Appliance)All SupportedNot ImpactedIt is a single-user, root-user-only virtual appliance. The reported issues do not introduce any additional security risk to a customer's environment for "in-guest" attacks, provided the recommended best practices to protect the access of highly privileged accounts are followed. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks.2018-01-10
Authentication Manager Web TierAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-11
BSAFE C Products: MES, Crypto-C ME, SSL-CAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
BSAFE Java Products: Cert-J, Crypto-J, SSL-JAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
Data Loss Prevention (Hardware Appliance)9.6.x, 9.5.xImpacted - RemediatedRefer to the security advisory DSA-2018-163.2018-09-11
Data Loss Prevention (Virtual Appliance)9.6.x, 9.5.xImpacted - RemediatedCheck with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks. Refer to the security advisory DSA-2018-163 for updating guest operating system to prevent "in-guest" attacks.2018-09-11
Data Protection Manager (Software)All SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-08
Data Protection Manager (Hardware Appliance)All SupportedImpacted - RemediatedRSA Data Protection Manager 3.5.2.6.1 contains resolution for this issue. For more details, refer to the security advisory DSA-2018-078.2018-05-31
Data Protection Manager (Virtual Appliance)All SupportedImpacted - RemediatedCheck with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks. RSA Data Protection Manager 3.5.2.6.1 contains resolution for this issue. For more details, refer to the security advisory DSA-2018-078.2018-05-31
DCS: Certificate Manager6.9Not ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
DCS: Validation Manager3.2Not ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
eFraudNetwork (eFN) Not ImpactedDirect access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.2018-01-17
enVisionEOL The product has reached End of Life. Please refer to the Product Version Life Cycle for RSA enVision page on RSA Link.2018-01-11
Federated Identity Manager4.2Not ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-08
FraudAction (OTMS) Not ImpactedDirect access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.2018-01-17
Identity Governance and Lifecycle (Software),
   Via Lifecycle and Governance (Software),
   Identity Management & Governance (Software)
7.0.2, 7.0.1, 7.0, 6.9.1, 6.9.0Not ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-08
Identity Governance & Lifecycle (Hardware Appliance),
   Via Lifecycle & Governance (Hardware Appliance),
   Identity Management & Governance (Hardware Appliance)
7.0.2, 7.0.1, 7.0, 6.9.1, 6.9.0ImpactedRemediation plan is in progress. An appliance updater with OS updates and a security advisory on applying the BIOS fix will be made available (target date: TBD).
  
   Any Remote Agents or Remote AFX deployed in customer environment are a software product only and are not impacted. Check with your hardware system vendor and operating system vendor for any available updates for the host system.
2018-01-24
Identity Governance and Lifecycle SaaS / MyAccessLive Impacted - RemediatedWe have confirmed that our third party cloud platform provider has remediated the issue at the platform level. This remediation fully addresses the risk and requires no customer action. Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk at the OS level to customer data hosted within the environment, and OS level patches will be handled through the standard RSA vulnerability remediation process.
  
   Any Remote Agents or Remote AFX deployed in customer environment are a software product only and are not impacted. Check with your hardware system vendor and operating system vendor for any available updates for the host system.
2018-01-15
NetWitness Endpoint (ECAT)All SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-08
NetWitness Logs & Packets / Security Analytics
   (Hardware Appliance)
All SupportedNot ImpactedAs a single, root-user-only appliance, the reported issues do not introduce any additional security risk to a customer's environment because a root level user already has full access to all information on the system. Customers should follow the recommended best practices to protect the access of highly privileged accounts. The BIOS/OS updates will be incorporated to the product release as part of the regular patching process (current target date is February, 2018).2018-01-17
NetWitness Logs & Packets / Security Analytics
   (Virtual Appliance)
All SupportedNot ImpactedIt is a single-user, root-user-only virtual appliance. The reported issues do not introduce any additional security risk to a customer's environment for "in-guest" attacks, provided the recommended best practices to protect the access of highly privileged accounts are followed. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks.2018-01-11
NetWitness Logs & Packets / Security Analytics - Legacy Windows CollectorAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-10
NetWitness Live Infrastructure Not ImpactedDirect access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.2018-01-17
RSA Authentication Client (RAC)All SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-10
RSA Central Not ImpactedDirect access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk to customer data hosted within the environment, and patches will be handled through the standard RSA vulnerability remediation process.2018-01-17
SecurID Access Cloud ServiceAll SupportedImpacted - RemediatedWe have confirmed that our third party cloud platform provider has remediated the issue at the platform level. This remediation fully addresses the risk and requires no customer action. Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk at the OS level to customer data hosted within the environment, and OS level patches will be handled through the standard RSA vulnerability remediation process.2018-01-15
SecurID Access IDR VMAll SupportedNot ImpactedAccess to the virtual appliance OS to load external code is restricted to highly privileged accounts only. The reported issues do not introduce any additional security risk to a customer's environment for potential "in-guest" attacks, provided the recommended best practices to protect the access of highly privileged accounts are followed. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent "guest-to-host" and "guest-to-guest" attacks.2018-01-15
SecurID Agent for PAMAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Agent for WebAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Agent for WindowsAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Authenticate App for AndroidAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-11
SecurID Authenticate App for iOSAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-11
SecurID Authenticate App for Windows 10All SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-11
SecurID Authentication EngineAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Authentication SDKAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Software Token ConverterAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Software Token for AndroidAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Software Token for BlackberryAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Software Token for DesktopAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Software Token for iPhoneAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Software Token for Windows MobileAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Software Token ToolbarAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Software Token Web SDKAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SecurID Transaction Signing SDKAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-09
SYN Impacted - RemediatedWe have confirmed that our third party cloud platform provider has remediated the issue at the platform level. This remediation fully addresses the risk and requires no customer action. Direct access to RSA’s hosted devices and systems is granted only to administrative users who require it for the performance of their job functions. As a result, the reported issues do not introduce additional security risk at the OS level to customer data hosted within the environment, and OS level patches will be handled through the standard RSA vulnerability remediation process.2018-01-17
Web Threat DetectionAll SupportedNot ImpactedIt is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system.2018-01-10
NotesFor information regarding the impact on other Dell products refer to the following knowledge base articles:

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes