On January 3, 2018, researchers disclosed information on three vulnerabilities identified in some microprocessors that could allow an attacker to exploit processor speculation or take advantage of cache timing side-channels. Under specific circumstances, these vulnerabilities could potentially allow unprivileged local attacker to read privileged data contained in secure areas of system memory belonging to other processes or system kernel.
There were three original variants of the issue:
- Variant 1: CVE-2017-5753 - speculative execution bounds-check bypass
- Variant 2: CVE-2017-5715 - speculative execution branch target injection
- Variant 3: CVE-2017-5754 - speculative execution permission faults handling
On May 2nd, 2018, two new variants of the Spectre and Meltdown vulnerabilities were published.
Similar to the original three, the new variants are:
- Variant 3a: CVE-2018-3640 – speculative execution rogue system register read
- Variant 4: CVE-2018-3639 – speculative execution store bypass
Vulnerable CPUs vs. Vulnerable Appliances
From our investigation, Poly has determined that while many of our products use CPUs that are technically vulnerable to the Spectre and Meltdown, none are susceptible due to the way their software is written and the way the appliance is used. In order for Spectre or Meltdown to be effective exploits, the appliance would need to have malicious code installed onto it or be used to browse to a website that pushes malicious code via a web browser. Poly appliances do not allow for applications to be installed onto them so this vector can’t be exploited. For the few products that do contain a web browser, the required software libraries are not present that would allow for malicious code to be pushed onto them and executed. There have been no reports of Poly appliance in the field exploited by Spectre or Meltdown.
Poly’s virtual editions of our appliances are not vulnerable to Spectre or Meltdown. The vectors needed for the vulnerability to work on these products are not present. Spectre and Meltdown require malicious software to be installed on the product which our appliances do not allow, or the product needs to browse to a website that is pushing malicious code and our appliances do not have browsers or the software libraries needed to install the malicious software. Based on this, Poly does not believe that our appliances are vulnerable to either Spectre or Meltdown. Poly will be performing additional updates to our appliances and virtual editions in the coming months to help prevent this type of exploit in the future.
Please Note - it is possible that the virtual host machine (e.g. VMWare or Hyper-V) is vulnerable and needs patches that are available from the vendor.
Group Series Family (Group Series, Centro, Medialign)
The Poly Group Series does not perform any actions that would make it vulnerable to Spectre or Meltdown. It does not allow for software applications to be installed on it nor does it allow for any web browsing. File uploads to the appliance are limited to digitally signed software images from Poly and JPEG images.
VVX and Trio Families of Phones
The Poly VVX and Trio families of phones are not susceptible to Spectre or Meltdown. They do not allow software to be installed on them which would prohibit malicious code from being loaded and they are lacking the software libraries needed for malicious software to be pushed from the web. None of the vectors needed for Spectre or Meltdown are present in any of these phones.
Other Poly Appliances
Poly is performing a close review of all our supported products to determine if there is any risk and will continue to update them as needed. Many of our infrastructure products using Intel processors have received updates even though the appliance itself isn’t vulnerable.
CVE 2017-5753 - speculative execution bounds-check bypass
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
CVE 2017-5715 - speculative execution branch target injection
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
CVE 2017-5754 - speculative execution permission faults handling
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
CVE 2018-3640 – speculative execution rogue system register read
Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis, aka Rogue System Register Read (RSRE), Variant 3a.
CVE 2018-3639 – speculative execution store bypass
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.
Last Update: 3/14/2022
Initial Public Release: 7/12/2018
Advisory ID: PLYGN18-01
CVE ID: CVE-2017-5753
CVSS Score: 5.6
CVE ID: CVE-2017-5715
CVSS Score: 5.6
CVE ID: CVE-2017-5754
CVSS Score: 5.6
CVE ID: CVE-2018-3640
CVSS Score: 5.6
CVE ID: CVE-2018-3639
CVSS Score: 5.5
1.3.5 and prior
|End of Support June 30, 2021|
1.3.5 and prior
|End of Support August 31, 2021|
No action is necessary.
Many modern CPUs use speculative execution and are potentially susceptible to these types of attacks. However, it is important to note an attacker must be able to execute malicious code on a vulnerable device to exploit one of these vulnerabilities and gain access to restricted memory. The impact of these vulnerabilities is greatest on multi-user systems – shared hosting, cloud services, virtual machines, etc. – where unprivileged access to the system resources is generally available.
Poly products are designed and deployed in a manner that largely mitigate such classes of vulnerability, are not multi-user systems, and do not typically allow access to the operating system for normal operation nor do they allow the installation of custom code and the ability to load or execute code is limited to privilege users and firmware signature validation blocks the installation of firmware not signed by Poly. Some Poly infrastructure products do by default provide unprivileged OS-level service accounts for configuration and maintenance. On these systems, we recommend changing default passwords, restricting account access to trusted administrators, and disabling shell access.
- Limit access to critical infrastructure equipment to only trusted administrators from trusted administrative networks or hosts.
- Ensure that all default passwords have been changed.
Poly will be developing software fixes for supported products found to be vulnerable to prevent these types of attacks. This advisory will be updated as patches are made available.
|1.1||1/4/2018||Updated Summary, Impact and Risk, Mitigations and Notes details|
|1.2||1/4/2018||Updated product list|
|1.3||1/4/2018||Updated status on several products and revised CVSS score|
|1.4||1/4/2018||Updated product status, updated Vulnerability Summary and Mitigations|
|1.5||1/4/2018||Updated product status|
|1.6||1/4/2018||Updated product table for Patch release dates and added notes|
|1.7||1/4/2018||Updated product table for CX phones|
|1.8||1/4/2018||Updated product table for all products|
|1.9||1/4/2018||Updated advisory to include variants 3a and 4|