Meltdown and Spectre Vulnerability - Next Generation Firewall
- Article Number: 000014989
- Products: NGFW Appliances, Next Generation Firewall (NGFW)
- Version: 6.4, 6.3, 6.2, 5.10
- Last Published Date: March 29, 2018
Notes & Warnings
KB 14933 provides a description of the Meltdown and Spectre Vulnerabilities CVE-2017-5715, CVE-2017-5753, CVE-2017-5754.
This article provides additional information specific to the Forcepoint NGFW product.
The Meltdown and Spectre attacks are not a remote compromise against the Forcepoint NGFW Engine. These vulnerabilities have no direct impact on the NGFW Engine and very little indirect impact.
The Forcepoint NGFW Firewall only runs trusted code. Exploiting a vulnerability would require a trusted administrator to copy a harmful file to the Forcepoint NGFW Firewall and execute it.
The Meltdown vulnerability allows a local user with normal user privileges to read kernel memory via a specially crafted exploit program. The Forcepoint NGFW Engine is not a general-purpose system and only trusted administrators should have local user accounts.
In environments that are required to follow the FIPS-140-2 standards, the Forcepoint NGFW Engines are run in FIPS mode. In FIPS mode, local user accounts are not available.
Caution: Do not run the Forcepoint NGFW Engines in FIPS mode unless you are specifically required to do so.
Information About Fixes
The following table shows the planned schedule for fixes:
sg-bootconfig --pti=on apply
root=/dev/ram0 init=/linuxrc SGSIDE=B crashkernel=96M@0M maxcpus=16 pti=on console=tty0 SGCONS_0L=0
If you are running NGFW on third-party hardware or virtual appliances such as VMware, KVM, AWS, ESXi, Azure, or Hyper-V, please work with your hardware and OS/Hypervisor vendors to determine vulnerability status.