F5 Networks BIG-IP : Virtual Machine Manager L1 Terminal Fault vulnerability (K31300402) (Foreshadow)
Medium Nessus Plugin ID 125480
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionSystems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. (CVE-2018-3646also known as Foreshadow-NG)
CVE-2018-3646 requires an attacker who is capable of providing and running binary code of their choosing on the BIG-IP platform. This raises a high bar for attackers attempting to target BIG-IP systems over a network and would require an additional, unpatched, user-space remote code execution vulnerability to exploit these new issues.
F5 believes that BIG-IP virtual editions running as a guest on public or private cloud infrastructure are no more vulnerable than any other Linux based guest. The host hypervisor must be patched to mitigate these issues for the host and between guests.
F5 believes that the highest impact realistic attack for CVE-2018-3646 may occur in multi-tenancy vCMP configurations :
CVE-2018-3646 may allow an attacker in one administrative domain to collect privileged information from the host or guests owned by another administrative domain. Exploiting these attacks would be significantly more difficult to utilize on BIG-IP than a standard Linux based system due to BIG-IP memory and process scheduling architecture. CVE-2018-3646 might allow an attacker in one administrative domain to collect privileged information from the host or guests owned by another administrative domain as long as the attacker's guest is configured as a single-core guest. BIG-IP always maps both hyper-threads of a given core to any guest with the 'Cores Per Guest' configuration set to two or more, but single-core guests may execute on the same processor core as another single-core guest or host code. This threat may be mitigated by ensuring all guests are set to at least two 'Cores Per Guest'.
On a BIG-IQ system, an attacker needs shell access using the Advanced Shell ( bash ) or TMOS Shell ( tmsh ) to execute binary code. By default, only the root and admin users on a BIG-IQ system have shell access. Additionally, only users with the Administrator role can be granted shell access, and this step must be performed using the shell.
On an iWorkflow system, an attacker needs shell access using bash or tmsh to execute binary code. By default, only the root user on an iWorkflow system has shell access. Additionally, only users with the Administrator role can be granted shell access, and this step must be performed using the shell.
On an Enterprise Manager system, an attacker needs shell access using bash or tmsh to execute binary code. By default, only the root user on an Enterprise Manager system has shell access. Additionally, only users with the Administrator role can be granted shell access.
An unprivileged attacker can use this vulnerability to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks.
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K31300402.