F5 Networks BIG-IP : Lazy FP state restore vulnerability (K21344224)

Medium Nessus Plugin ID 118641

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (CVE-2018-3665)

A Floating-Point (FP) state information leakage flaw was found in the way the Linux kernel saves and restores the FP state during task switch. Linux kernels that follow the 'Lazy FP Restore' scheme are vulnerable to the FP state information leakage issue. An unprivileged, local attacker can use this flaw to read FP state bits by conducting targeted cache side-channel attacks, similar to the Meltdown vulnerability disclosed earlier this year.

Impact

This vulnerability requires an attacker to induce speculative execution of code to acquire privileged information, then leak that information via a micro-architectural side-channel. Intel Core processors are affected. AMD processors are not affected.

F5 is investigating the impact of this vulnerability on our products.
F5 is focused on providing patched releases as soon as we have fully tested and verified fixes. F5 will update this article with the most current information as soon as it is confirmed.

BIG-IP

This vulnerability requires an attacker who can provide and run binary code of their choosing on the BIG-IP platform. This raises a high bar for attackers attempting to target BIG-IP systems over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues.

The only administrative roles on a BIG-IP system that can execute binary code or exploitable analogs, such as JavaScript, are the Administrator, Resource Administrator, Manager, and iRules Manager roles. The Administrator and Resource Administrator roles already have nearly complete access to the system and all secrets on the system that are not protected by hardware-based encryption. The Manager and iRules Manager roles have access restrictions, but they can install new iRulesLX code. A malicious authorized Manager or iRules Manager can install malicious binary code to exploit these information leaks and gain more privileged access. F5 recommends limiting these roles to trusted employees.

To determine the processor type used by each platform and if the platform is affected by thisvulnerability, refer to the following table.

Note : In the following table, only one entry is shown for platform models that may have several variants. For example, BIG-IP 11000, BIG-IP 11050, BIG-IP 11050F, and BIG-IP 11050N are allincluded in the table as 'BIG-IP 110x0'. Some platforms may have multiple vendor processors, such as the iSeries platforms, which have one or more Intel Core processors and may have a vulnerable ARM processor in one or more subsystems. F5 does not believe that ARM processors in these subsystems are accessible to attackers, unless some other code-execution vulnerability is present, but the information is being provided out of an abundance of caution.

Model Processor type Vulnerable to CVE-2018-3665 Lazy FP state restore VIPRION B21x0 Intel N* VIPRION B2250 Intel N* VIPRION B4100 AMD N VIPRION B4200 AMD N VIPRION B43x0 Intel N* VIPRION B44x0 Intel N* BIG-IP2xx0 Intel Y BIG-IP4xx0 Intel N* BIG-IP5xx0 Intel N* BIG-IP7xx0 Intel N* BIG-IP10xx0 Intel N* BIG-IP 110x0 AMD N BIG-IP12xx0 Intel N* BIG-IPi2x00 Intel, ARM N* BIG-IPi4x00 Intel, ARM N* BIG-IPi5x00 Intel, ARM N* BIG-IPi7x00 Intel, ARM N* BIG-IPi10x00 Intel, ARM N* BIG-IP 800 Intel Y BIG-IP 1600 Intel Y BIG-IP 3600 Intel Y BIG-IP 3900 Intel N* BIG-IP6400 AMD N BIG-IP6900 AMD N BIG-IP89x0 AMD N

*Intel Xeon based processors are not vulnerable to this issue.

Note : Platform models that have reached End of Technical Support (EoTS) will not be evaluated. For more information, refer toK4309: F5 platform lifecycle support policy.

BIG-IQ and Enterprise Manager

To determine the processor type used by each platform and if the platform is affected by thisvulnerability, refer to the following table.

Model Processor type Vulnerable to CVE-2018-3665 Lazy FP state restore BIG-IQ 7000 Intel Y Enterprise Manager 4000 Intel Y

Note : Platform models that have reached EoTS will not be evaluated.
For more information, refer toK4309: F5 platform lifecycle support policy.

ARX

To determine the processor type used by each platform and if the platform is affected by thisvulnerability, refer to the following table.

Model Processor type Vulnerable to CVE-2018-3665 Lazy FP state restore ARX 1500+ Intel Y* ARX 2500 Intel Y* ARX 4000/4000+ Intel Y*

*The specified platforms contain the affected processor. However, F5 identifies the ARX software vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.

Note : Platform models that have reached EoTS will not be evaluated.
For more information, refer toK4309: F5 platform lifecycle support policy.

Traffix SDC

Systems with microprocessors that use speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access by way of a side-channel analysis.

LineRate

Systems with microprocessors that use speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access by way of a side-channel analysis.

For products with None in the Versions known to be vulnerable column in the following table, there is no impact.

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K21344224.

See Also

https://support.f5.com/csp/#/article/K21344224

https://support.f5.com/csp/article/K4309

Plugin Details

Severity: Medium

ID: 118641

File Name: f5_bigip_SOL21344224.nasl

Version: 1.1

Type: local

Published: 2018/11/02

Modified: 2018/11/02

Dependencies: 76940

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 4.7

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N

CVSS v3.0

Base Score: 5.6

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_global_traffic_manager, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/a:f5:big-ip_webaccelerator, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version

Patch Publication Date: 2018/06/21

Reference Information

CVE: CVE-2018-3665