CVE-2018-3640 and CVE-2018-3639
- Article Number: 000015974
- Products: Sidewinder
- Version: 8.3, 7.0
- Last Published Date: June 13, 2018
CVE-2018-3639 – Medium
CVE-2018-3640 – Low
Speculative execution vulnerabilities.
KBA Detailed Information
The following descriptions are from NIST
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.
Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis, aka Rogue System Register Read (RSRE), Variant 3a.
For additional information, see the following:
The CVE-2018-3639 and CVE-2018-3640 attacks are not a remote compromise against the Sidewinder firewall. These vulnerabilities have no direct impact on the Sidewinder and very little indirect impact.
The vulnerabilities allow a local user with normal user privileges to read kernel memory and registers via a specially crafted exploit program. The Sidewinder firewall is not a general purpose system and only trusted administrators should have local user accounts. In order to minimize the possibility of attack by a rogue Sidewinder administrator, we created e-patches 7.0.1.03E116 and 8.3.2E154 which prevent execution of binaries not published by Forcepoint.
Most network services are not vulnerable because of details of the Sidewinder architecture. There are a small number of network services that could be vulnerable to the attacks. However, those services would have to first be exploited by a remote execution vulnerability, and most remote execution attacks are thwarted by Type Enforcement.
Hotfix and Information About Other Fixes
The following patches are available to resolve these vulnerabilities:
7.0.1.03E16 and 8.3.2E154 prevent execution of programs not published by Forcepoint by disallowing binaries of type "scrp" from being executed, which a rogue administrator (Admn) could have done previously. Scripts are still allowed with type "scrp". The patch also provides detection of a Meltdown attack in progress, killing the offending program and auditing that the attack occurred. This patch has no performance impact.
If you are running Sidewinder or Control Center on VMware, please be sure to apply the VMware patches as well.
Sidewinder download information:
User password : 34bT4hF3AFJn
Server name : csftp.us.stonesoft.com