On May 21, 2018, researchers disclosed two vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged, local attacker, in specific circumstances, to read privileged memory belonging to other processes. The first vulnerability, CVE-2018-3639, is known as Spectre Variant 4 or SpectreNG. The second vulnerability, CVE-2018-3640, is known as Spectre Variant 3a. Both of these attacks are variants of the attacks disclosed in January 2018 and leverage cache-timing attacks to infer any disclosed data. To exploit either of these vulnerabilities, an attacker must be able to run crafted or script code on an affected device. Although the underlying CPU and operating system combination in a product or service may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code and are, therefore, not vulnerable. There is no vector to exploit them. Cisco products are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor. A Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as operating system or hypervisor, is patched against the vulnerabilities in question. Although Cisco cloud services are not directly affected by these vulnerabilities, the infrastructure on which they run may be impacted. Refer to the “Affected Products” section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services. Cisco will release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel
On May 21, 2018, researchers disclosed two vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks. These vulnerabilities could allow an unprivileged, local attacker, in specific circumstances, to read privileged memory belonging to other processes.
The first vulnerability, CVE-2018-3639, is known as Spectre Variant 4 or SpectreNG. The second vulnerability, CVE-2018-3640, is known as Spectre Variant 3a. Both of these attacks are variants of the attacks disclosed in January 2018 and leverage cache-timing attacks to infer any disclosed data.
To exploit either of these vulnerabilities, an attacker must be able to run crafted or script code on an affected device. Although the underlying CPU and operating system combination in a product or service may be affected by these vulnerabilities, the majority of Cisco products are closed systems that do not allow customers to run custom code and are, therefore, not vulnerable. There is no vector to exploit them. Cisco products are considered potentially vulnerable only if they allow customers to execute custom code side-by-side with Cisco code on the same microprocessor.
A Cisco product that may be deployed as a virtual machine or a container, even while not directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Cisco recommends that customers harden their virtual environments, tightly control user access, and ensure that all security updates are installed. Customers who are deploying products as a virtual device in multi-tenant hosting environments should ensure that the underlying hardware, as well as operating system or hypervisor, is patched against the vulnerabilities in question.
Although Cisco cloud services are not directly affected by these vulnerabilities, the infrastructure on which they run may be impacted. Refer to the “Affected Products” section of this advisory for information about the impact of these vulnerabilities on Cisco cloud services.
Cisco will release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel
Any product or service not listed in the “Vulnerable Products” section of this advisory is to be considered not vulnerable. The criteria for considering whether a product is vulnerable are explained in the “Summary” section of this advisory.
The following table lists Cisco products and cloud services that are affected by the vulnerabilities described in this advisory:
Product | Cisco Bug ID | Fixed Release Availability |
---|---|---|
Network Application, Service, and Acceleration | ||
Cisco Cloud Services Platform 2100 | CSCvj63868 | Consult the Cisco bug ID for details |
Cisco Wide Area Application Services (WAAS) | CSCvj59144 | Update to v6.x (Available) |
Cisco vBond Orchestrator | - | 18.2 (Available) |
Cisco vEdge 5000 | - | 18.2 (Available) |
Cisco vEdge Cloud | - | 18.2 (Available) |
Cisco vManage NMS | - | |
Cisco vSmart Controller | - | 18.2 (Available) |
Network Management and Provisioning | ||
Cisco Network Functions Virtualization Infrastructure Software | CSCvj59161 | Consult the Cisco bug ID for details |
Routing and Switching - Enterprise and Service Provider | ||
Cisco 4000 Series Integrated Services Routers (IOS XE Open Service Containers) | CSCvj59152 | Consult the Cisco bug ID for details |
Cisco 800 Series Industrial Integrated Services Routers | CSCvj59153 | Consult the Cisco bug ID for details |
Cisco ASR 1000 Series Aggregation Services Router with RP2 or RP3 (IOS XE Open Service Containers) | CSCvj59152 | Consult the Cisco bug ID for details |
Cisco ASR 1001-HX Series Aggregation Services Routers (IOS XE Open Service Containers) | CSCvj59152 | Consult the Cisco bug ID for details |
Cisco ASR 1001-X Series Aggregation Services Routers (IOS XE Open Service Containers) | CSCvj59152 | Consult the Cisco bug ID for details |
Cisco ASR 1002-HX Series Aggregation Services Routers (IOS XE Open Service Containers) | CSCvj59152 | Consult the Cisco bug ID for details |
Cisco ASR 1002-X Series Aggregation Services Routers (IOS XE Open Service Containers) | CSCvj59152 | Consult the Cisco bug ID for details |
Cisco ASR 9000 XR 64-bit Series Routers | CSCvj59142 | Consult the Cisco bug ID for details |
Cisco Application Policy Infrastructure Controller (APIC) | CSCvj59131 | Consult the Cisco bug ID for details |
Cisco CGR 1000 Compute Module (IOx feature) | CSCvj59160 | Consult the Cisco bug ID for details |
Cisco Catalyst 9300 Series Switches - IOx feature | CSCvj59156 | Consult the Cisco bug ID for details |
Cisco Catalyst 9400 Series Switches - IOx feature | CSCvj59157 | Consult the Cisco bug ID for details |
Cisco Catalyst 9500 Series Switches - IOx feature | CSCvj59158 | Consult the Cisco bug ID for details |
Cisco Cloud Services Router 1000V Series (IOS XE Open Service Containers) | CSCvj59152 | Consult the Cisco bug ID for details |
Cisco NCS 1000 Series Routers | CSCvj59142 | Consult the Cisco bug ID for details |
Cisco NCS 5000 Series Routers | CSCvj59142 | Consult the Cisco bug ID for details |
Cisco NCS 5500 Series Routers | CSCvj59142 | Consult the Cisco bug ID for details |
Cisco Nexus 3000 Series Switches | CSCvj59136 | Consult the Cisco bug ID for details |
Cisco Nexus 5000 Series Switches (OAC feature) | CSCvj59138 | Consult the Cisco bug ID for details |
Cisco Nexus 6000 Series Switches (OAC feature) | CSCvj59135 | Consult the Cisco bug ID for details |
Cisco Nexus 7000 Series Switches (OAC feature, Feature Bash) | CSCvj59135 | Consult the Cisco bug ID for details |
Cisco Nexus 9000 Series Switches - Standalone, NX-OS mode | CSCvj59136 | Consult the Cisco bug ID for details |
Cisco Virtual Application Policy Infrastructure Controller (APIC) | CSCvj59131 | Consult the Cisco bug ID for details |
Cisco XRv 9000 Series Routers | CSCvj59142 | Consult the Cisco bug ID for details |
Unified Computing | ||
Cisco C880 M4 Server | CSCvj59127 | Consult the Cisco bug ID for details |
Cisco C880 M5 Server | CSCvj59127 | Consult the Cisco bug ID for details |
Cisco Enterprise Network Compute System 5100 Series Servers | CSCvj59121 | Consult the Cisco bug ID for details |
Cisco Enterprise Network Compute System 5400 Series Servers | CSCvj59121 | Consult the Cisco bug ID for details |
Cisco HyperFlex with VMWare Hypervisor | CSCvj59134 | Consult the Cisco bug ID for details |
Cisco UCS B-Series M2 Blade Servers - Managed | CSCvj59301 | Cisco UCS B-Series M2 Blade Servers - Managed UCS Manager 2.2(8l) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 3.2(3g) - (Available) Cisco UCS C-Series M2 Rack Servers - Managed UCS Manager 2.2(8l) - (Available) |
Cisco UCS B-Series M3 Blade Servers | CSCvj54880 | UCS Manager 2.2(8l) (Available) UCS Manager 3.1(3j) (Available) UCS Manager 3.2(3g) (Available) |
Cisco UCS B-Series M4 Blade Servers (except B260, B460) | CSCvj54187 | UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 2.2(8l) - (Available) Cisco UCS C-Series M4 Rack Servers - Managed (except C460) - UCS Manager 3.2(3e) - (Available) Cisco UCS S3260 M4 Storage Server - Managed - UCS Manager 3.2(3e) - (Available) Cisco UCS S3260 M4 Storage Server - Standalone - Cisco IMC 3.0(4e) - (Available) Cisco UCS S3260 M4 Storage Server - UCS Manager 3.1(3j) - (Available) |
Cisco UCS B-Series M5 Blade Servers | CSCvj59266 | Cisco UCS B-Series M5 Blade Servers UCS Manager 3.2(3g) - (Available) Cisco UCS C-Series M5 Rack Servers -Standalone Cisco IMC 3.1(2i) - (Available) |
Cisco UCS B260 M4 Blade Server | CSCvj54847 | Cisco UCS B260 M4 Blade Server UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 2.2(8l) - (Available) Cisco UCS B460 M4 Blade Server UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - Available UCS Manager 2.2(8l) - Available Cisco UCS C460 M4 Rack Server - Managed UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 2.2(8l) - (Available) |
Cisco UCS B460 M4 Blade Server | CSCvj54847 | Cisco UCS B260 M4 Blade Server UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 2.2(8l) - (Available) Cisco UCS B460 M4 Blade Server UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - Available UCS Manager 2.2(8l) - Available Cisco UCS C460 M4 Rack Server - Managed UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 2.2(8l) - (Available) |
Cisco UCS C-Series M2 Rack Servers - Managed | CSCvj59301 | Cisco UCS B-Series M2 Blade Servers - Managed UCS Manager 2.2(8l) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 3.2(3g) - (Available) Cisco UCS C-Series M2 Rack Servers - Managed UCS Manager 2.2(8l) - (Available) |
Cisco UCS C-Series M2 Rack Servers - Standalone | CSCvj59309 | Cisco IMC 1.4(3z09) - (Available) |
Cisco UCS C-Series M2 Rack Servers [EX processor family servers] - Standalone | CSCvj59304 | Cisco IMC 1.5(9f) - (Available) |
Cisco UCS C-Series M3 Rack Servers | CSCvj59312 | UCS Manager 3.2(3g) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 2.2(8l) - (Available) Cisco IMC 3.0(4i) - (Available) Cisco IMC 2.0(9o) - (Available) |
Cisco UCS C-Series M4 Rack Servers (except C460) - Standalone 1 | CSCvj59318 | Cisco IMC 3.0(4e) - (Available) Cisco IMC 2.0(10k) - (Available) |
Cisco UCS C-Series M4 Rack Servers (except C460) -Managed 1 | CSCvj54187 | UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 2.2(8l) - (Available) Cisco UCS C-Series M4 Rack Servers - Managed (except C460) - UCS Manager 3.2(3e) - (Available) Cisco UCS S3260 M4 Storage Server - Managed - UCS Manager 3.2(3e) - (Available) Cisco UCS S3260 M4 Storage Server - Standalone - Cisco IMC 3.0(4e) - (Available) Cisco UCS S3260 M4 Storage Server - UCS Manager 3.1(3j) - (Available) |
Cisco UCS C-Series M5 Rack Servers - Managed 1 | CSCvj59331 | UCS Manager 3.2(3g) - (Available) |
Cisco UCS C-Series M5 Rack Servers -Standalone 1 | CSCvj59266 | Cisco UCS B-Series M5 Blade Servers UCS Manager 3.2(3g) - (Available) Cisco UCS C-Series M5 Rack Servers -Standalone Cisco IMC 3.1(2i) - (Available) |
Cisco UCS C460 M4 Rack Server - Managed | CSCvj54847 | Cisco UCS B260 M4 Blade Server UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 2.2(8l) - (Available) Cisco UCS B460 M4 Blade Server UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - Available UCS Manager 2.2(8l) - Available Cisco UCS C460 M4 Rack Server - Managed UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 2.2(8l) - (Available) |
Cisco UCS C460 M4 Rack Server - Standalone | CSCvj59326 | Cisco IMC 3.0(4e) - (Available) Cisco IMC 2.0(12h) - (Available) |
Cisco UCS E-Series M2 Servers | CSCvj59121 | Consult the Cisco bug ID for details |
Cisco UCS E-Series M3 Servers | CSCvj59121 | Consult the Cisco bug ID for details |
Cisco UCS S3260 M4 Storage Server | CSCvj54187 | UCS Manager 3.2(3e) - (Available) UCS Manager 3.1(3j) - (Available) UCS Manager 2.2(8l) - (Available) Cisco UCS C-Series M4 Rack Servers - Managed (except C460) - UCS Manager 3.2(3e) - (Available) Cisco UCS S3260 M4 Storage Server - Managed - UCS Manager 3.2(3e) - (Available) Cisco UCS S3260 M4 Storage Server - Standalone - Cisco IMC 3.0(4e) - (Available) Cisco UCS S3260 M4 Storage Server - UCS Manager 3.1(3j) - (Available) |
Cisco Virtual Infrastructure Manager | CSCvj75271 | 2.4.1 2.2.24 (Available) |
Voice and Unified Communications Devices | ||
Cisco Remote Expert Mobile | CSCvj59167 | Consult the Cisco bug ID for details |
Cisco Cloud Hosted Services | ||
Cisco Metacloud | CSCvj59149 | Consult the Cisco bug ID for details |
Cisco Threat Grid | - |
1 Cisco UCS M4 and M5 Rack Servers are used as part of the Cisco HyperFlex Solution.
The following Cisco products are considered not vulnerable to Spectre Variant 3a or Spectre Variant 4. Specific models in these product families may be affected and will be explicitly listed in the preceding “Vulnerable Products” section.
Branch Routers
Data Center Interconnect Platforms
Industrial Routers
Cloud Networking Services
Mobile Internet Routers
Service Provider Core Routers
Service Provider Edge Routers
Small Business Routers
Virtual Routers
WAN Optimization
Blade Switches
Campus LAN Switches - Access
Campus LAN Switches - Core and Distribution
Campus LAN Switches - Digital Building
Data Center Switches
Industrial Ethernet Switches
InfiniBand Switches
LAN Switches - Small Business
Service Provider Switches - Aggregation
Service Provider Switches - Ethernet Access
Virtual Networking
Cloud Networking Services
WAN Switches
MGX Switches
Indoor Access Points
Outdoor and Industrial Access Points
Wireless LAN Controllers
Cisco Cloud-Hosted Products
Email Security
Firewalls
Firewall Management
Network Security
Network Visibility and Segmentation
Next-Generation Intrusion Prevention System (NGIPS)
Security Management
No other Cisco IP Video products are known to be affected.
Cisco has investigated the following products, and they are not considered to be affected by the vulnerabilities that are described in this advisory:
Network Application, Service, and AccelerationA vulnerability due to the design of most modern CPUs could allow a local attacker to access sensitive information on a targeted system.
The vulnerability is due to improper implementation of the speculative execution of instructions by the affected software. This vulnerability can be triggered by causing the CPU to attempt to perform a speculative memory read before currently queued memory writes are completed. An attacker could exploit this vulnerability by executing arbitrary code and performing a side-channel attack on the cache of the targeted system. A successful exploit could allow the attacker to read sensitive memory information.
This vulnerability has been assigned the following CVE ID: CVE-2018-3639
A vulnerability due to the design of most modern CPUs could allow a local attacker to access sensitive information on a targeted system.
The vulnerability is due to improper implementation of the speculative execution of instructions by the affected software. This vulnerability can by triggered by causing an affected platform to perform speculative reads of system registers. An attacker could exploit this vulnerability by executing arbitrary code and performing a side-channel attack on the cache of the targeted system. A successful exploit could allow the attacker to read sensitive memory information.
This vulnerability has been assigned the following CVE ID: CVE-2018-3640
For information about fixed software releases, consult the Cisco bug ID(s) at the top of this advisory.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
CVE ID CVE-2018-3639 was reported to Intel by Jann Horn of Google Project Zero (GPZ) and Ken Johnson of the Microsoft Security Response Center (MSRC).
CVE ID CVE-2018-3640 was reported to Intel by Zdenek Sojka, Rudolf Marek, and Alex Zuepke from SYSGO AG.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
1.15 | Updated fixed software information for UCS M2 Rack Servers; added Cisco Hosted Collaboration Solution for Government to the Confirmed Not Vulnerable section | Affected Products and Products Considered Not Vulnerable After Investigation | Interim | 2018-August-31 |
1.14 | Updated information about the status of fixes for multiple products listed in the Vulnerable Products table. Removed references to ongoing investigation. | Affected Products and Products Considered Not Vulnerable After Investigation | Interim | 2018-August-07 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.