[cisco-voip] Spectre and Meltdown remediation as relevant to Cisco systems

[James Andrewartha]

Hi Ben,

On 09/01/18 05:27, Ben Amick wrote:
> So I haven’t had much time to look into this, but has anyone else
> compiled a list of or needs for remediation for cisco systems for the
> Spectre and Meltdown vulnerabilities?
>  
> I know the one only affects Intel and some ARM processors, whereas the
> other is more OS level, if I understand properly?

That's correct. And Meltdown is much easier to exploit than Spectre.

> So being that all the cisco telephony products are on virtualized
> product now, I assume that we would go to VMWare for any patching
> relevant to those, but I would imagine that we would also need a
> security patch for the redhat/centos OS the Unified Communications
> products run on (and doubly so for those of us using old MCS physical
> chassis?)
>  
> It looks like routers and switches, as well as ASAs are all potentially
> vulnerable as well.

Devices are mostly vulnerable if they can run untrusted code. So the
biggest problem is with client devices and software like web browsers.
Devices like routers, CUCM servers and so on that only run trusted code
from the vendor are not immediately exploitable. Which isn't to say you
shouldn't be applying patches when they become available, and
particularly if you run non-telephony VMs on the same hosts as Meltdown
can easily break through the hypervisor barrier and read data from other
VMs. So as an MCS user you're actually less vulnerable.

So it is a big vulnerability, but for appliances it's not such a big
problem. As an example, Aruba have said they don't need to release any
patches immediately but will investigate and deploy mitigations over
time: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt

Thanks,

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877