Product Service Advisory (PSA): Spectre and Meltdown Vulnerabilities : Versa Support

This is a security advisory note and it provides an overview of the Intel CPU Meltdown and Spectre vulnerabilities and

recommendations to mitigate them.

Dear Valued, Versa Networks Customer,

We are committed to ensuring that you receive the highest quality of service and product capability. Delivering on this commitment we aim to always keep our customers apprised of any potential impacts of security vulnerabilities, hardware defects, and other critical software issues.

This Product Service Announcement (PSA) is to inform you of recent vulnerabilities that severely impact CPU hardware leaving them vulnerable to cache side-channel attacks. The specific vulnerabilities are provided below with links to detailed descriptions of the impact and nature of the vulnerabilities:

Official discovery and explanation by Google: Project Zero.
Technical details of vulnerability codenamed: Meltdown.
Technical details of vulnerability codenamed: Spectre.

In summary, these lead to a vulnerability in which the user space processes can potentially access kernel’s privileged information. Meltdown and Spectre are termed as "Information Disclosure" and "Privilege Escalation" vulnerabilities. These vulnerabilities have been discovered to affect Intel, AMD, and ARM-based processors.

Versa Products Impacted

Versa Networks, a software-only solution, is supported across a number of x86 processors and appliances delivered by our white-box appliance vendors: Advantech, Lanner, ADI / Silicon and Dell. The vulnerabilities identified above can negatively affect the following Versa Networks software when deployed as a Virtual Machine (VM) on affected systems or in Baremetal:

15.x Release Family
- Versa FlexVNF
- Versa Director
- Versa Analytics
16.x Release Family
- Versa FlexVNF
- Versa Director
- Versa Analytics

Vulnerability exposure varies based on the modes of deployment. Please see below for each deployment mode.

VM Based Deployments for all Versa Software

For VMs running Versa Networks components, Versa recommends customers to apply the security patches from VM Host OS provider to prevent the vulnerability from exploiting the virtualized systems.

NOTE: Please do not download or install any 3rd party software on the virtual machines that are running the Versa Networks’ software.

Baremetal Installations for all Versa Software

Versa baremetal software installations are least impacted by this vulnerability. Baremetal systems are closed systems that do not allow installation of 3rd party software that may have the code to exploit these vulnerabilities, therefore risk on baremetal installations is minimal.

FlexVNF: Versa uCPE Installations

Third party applications with potential malware could make these systems vulnerable. Please do not download or install unqualified or unapproved 3rd party VMs on the Versa Networks’ uCPE solution. Versa works closely with the approved 3rd party VM vendors to get their patches. Since these approved 3rd party VM vendors are well-known entities, the risk of exploits via such entities is small. Once Versa obtains versions of their code with the fixes, the risk will be eliminated.

NOTE: Please do not use unapproved 3rd party VMs on Versa uCPE solution.

Versa Director

Versa Director can be deployed in a variety of environments, together with other 3rd party software in virtual environments. To minimize the risk of exploits, Versa recommends deploying Versa Director on dedicated systems and patch the underlaying OS when the fixes become available.

Versa Analytics

Versa Analytics can be deployed in a variety of environments, together with other 3rd party software. To minimize the risk of exploits, Versa recommends to deploy Versa Analytics on dedicated systems and patch the underlaying OS when the fixes become available.

Next Steps

Versa Networks is committed to ensuring any Versa Networks software in use by our customers does not impact business or network operations. We are working to address this issue as quickly as possible.

The fix for the vulnerability is currently not released by Ubuntu and Versa Networks is currently waiting to analyze the patch which to date (January 2018) has not yet been released.

Upon official release of the patch for Ubuntu Linux, Versa Networks is committed to ensuring there are no negative impacts to any Versa Networks software component (FlexVNF, Director, and Analytics) as a result of this vulnerability patch. To ensure this, Versa Networks will provide thorough testing of the patch once released. Currently, we estimate this to be approximately 7 to 14 days after the Ubuntu patch is available.

For currently deployed Versa Networks software, the CPU-level vulnerabilities require an attacker to have already established local arbitrary code execution. For this issue to be leveraged by an attacker, the system would need to already be successfully exploited.
These attacks can only happen locally on the same hardware by an attacker executing a malicious code. Hence, Versa encourages all customers to extensively use the auditing and role-based controls features, in the Versa software, to log any such activity and monitor. Versa highly recommends customers to limit access to the critical infrastructure of various systems to trusted administrators/hosts. It is also not recommended to add any package to the Linux which can potentially install any malware.

Concerned customers are recommended to contact Versa Networks Technical Support Team for any clarifications related to this advisory.

Thank You,
Versa Networks Technical Support