KB Article | Forcepoint Support

Problem Description

KBA Severity:  
CVE-2018-3639 – Medium
CVE-2018-3640 – Low
 
CVE Numbers: 
CVE-2018-3639
CVE-2018-3640
 
KBA Summary
Speculative execution vulnerabilities.
 
Affected Products
  • Forcepoint Sidewinder
 
KBA Detailed Information
The following descriptions are from NIST
 
CVE-2018-3639
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.
 
CVE-2018-3640
Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis, aka Rogue System Register Read (RSRE), Variant 3a.
 
For additional information, see the following:  
CVE References  
Vulnerability risk
The CVE-2018-3639 and CVE-2018-3640 attacks are not a remote compromise against the Sidewinder firewall. These vulnerabilities have no direct impact on the Sidewinder and very little indirect impact. 
 
The vulnerabilities allow a local user with normal user privileges to read kernel memory and registers via a specially crafted exploit program. The Sidewinder firewall is not a general purpose system and only trusted administrators should have local user accounts. In order to minimize the possibility of attack by a rogue Sidewinder administrator, we created e-patches 7.0.1.03E116 and 8.3.2E154 which prevent execution of binaries not published by Forcepoint.
 
Most network services are not vulnerable because of details of the Sidewinder architecture. There are a small number of network services that could be vulnerable to the attacks. However, those services would have to first be exploited by a remote execution vulnerability, and most remote execution attacks are thwarted by Type Enforcement.


 

Resolution

Hotfix and Information About Other Fixes
 
The following patches are available to resolve these vulnerabilities:
 Sidewinder 7.0.1.03Sidewinder 8.3.2Control Center 5.3.2
CVE-2018-36397.0.1.03E1168.3.2E154* or 8.3.2P11Under analysis
CVE-2018-36407.0.1.03E1168.3.2E154* or 8.3.2P11Under analysis
*indicates patch is obsoleted by a newer patch
 
7.0.1.03E16 and 8.3.2E154 prevent execution of programs not published by Forcepoint by disallowing binaries of type "scrp" from being executed, which a rogue administrator (Admn) could have done previously. Scripts are still allowed with type "scrp". The patch also provides detection of a Meltdown attack in progress, killing the offending program and auditing that the attack occurred. This patch has no performance impact.
 
If you are running Sidewinder or Control Center on VMware, please be sure to apply the VMware patches as well.
 
Sidewinder download information: User name                    : atl-963845ro
User password             : 34bT4hF3AFJn
Server name                 : csftp.us.stonesoft.com
                                      : https://csftp.us.stonesoft.com

https://csftp.us.stonesoft.com/file/access.pl?username=atl-963845ro
ftp://atl-963845ro:34bT4hF3AFJn@csftp.us.stonesoft.com/upload
sftp://atl-963845ro:34bT4hF3AFJn@csftp.us.stonesoft.com/upload
 

Article Feedback



Thank you for the feedback and comments.