KB Article | Forcepoint Support

Notes & Warnings


 

Problem Description

KB 14933 provides a description of the Meltdown and Spectre Vulnerabilities CVE-2017-5715, CVE-2017-5753, CVE-2017-5754.

This article provides additional information specific to the Forcepoint NGFW product.

Vulnerability risk

The Meltdown and Spectre attacks are not a remote compromise against the Forcepoint NGFW Engine. These vulnerabilities have no direct impact on the NGFW Engine and very little indirect impact.

The Forcepoint NGFW Firewall only runs trusted code. Exploiting a vulnerability would require a trusted administrator to copy a harmful file to the Forcepoint NGFW Firewall and execute it.

The Meltdown vulnerability allows a local user with normal user privileges to read kernel memory via a specially crafted exploit program. The Forcepoint NGFW Engine is not a general-purpose system and only trusted administrators should have local user accounts.

In environments that are required to follow the FIPS-140-2 standards, the Forcepoint NGFW Engines are run in FIPS mode. In FIPS mode, local user accounts are not available.

Caution: Do not run the Forcepoint NGFW Engines in FIPS mode unless you are specifically required to do so.

Resolution

Information About Fixes

The following table shows the planned schedule for fixes:

 NGFW 5.10NGFW 6.2NGFW 6.3NGFW 6.4
CVE-2017-5715
Spectre
No fix plannedNo fix plannedFix included in NGFW 6.3.3 released in March 2018Fix included in NGFW 6.4.0 released in February 2018
CVE-2017-5753
Spectre
No fix plannedNo fix plannedFix included in NGFW 6.3.3 released in March 2018Fix included in NGFW 6.4.0 released in February 2018
CVE-2017-5754
Meltdown
No fix plannedNo fix plannedFix included in NGFW 6.3.3 released in March 2018Fix included in NGFW 6.4.0 released in February 2018


Optional hardening against vulnerabilities is only enabled by default in the fixed NGFW versions if the NGFW Engine is in FIPS mode. To enable the hardening in a fixed NGFW version if the NGFW Engine is not in FIPS mode, you must enable kernel page table isolation.

Caution: Do not use NGFW Engines in FIPS mode unless you are specifically required to do so.
 
Check if kernel page table isolation is enabled
Enter the following command:
cat /proc/cmdline
 
If the following string is included in the output, kernel page table isolation is enabled:
pti=on

Example:
root=/dev/ram0 init=/linuxrc SGSIDE=B crashkernel=96M@0M maxcpus=16 pti=on console=tty0 SGCONS_0L=0
 
If the string is not included in the output, kernel page table isolation is not enabled.
 
Enable kernel page table isolation

  1. Enter the following command:
sg-bootconfig --pti=on apply
  1. Restart the NGFW Engine to activate the new setting.
  2. After you have restarted the NGFW Engine, enter the following command:
cat /proc/cmdline
  1. Check that the following string is included in the output:
pti=on

Example:

root=/dev/ram0 init=/linuxrc SGSIDE=B crashkernel=96M@0M maxcpus=16 pti=on console=tty0 SGCONS_0L=0
 
If you are running NGFW on third-party hardware or virtual appliances such as VMware, KVM, AWS, ESXi, Azure, or Hyper-V, please work with your hardware and OS/Hypervisor vendors to determine vulnerability status.

Forcepoint has released dynamic update package 1034-5242, which detects the Spectre side-channel attack. For more information about this dynamic update package, see the release notes.

Article Feedback



Thank you for the feedback and comments.

Want 24/7 Tech Support?

Learn more