[cisco-voip] Spectre and Meltdown remediation as relevant to Cisco systems

Ben Amick bamick at HumanArc.com
Wed Jan 10 10:47:44 EST 2018


Proper access control is always important and will theoretically mitigate many an issue. I believe your answer would be nearly accurate except that Windows allows customized code to run without administrative access. You can run a batch file, a powershell script, etc. which could enable vulnerability to the attack vector. I even believe one of the two vulnerabilities can be accessed through a java script in your web browser on windows.

CUCM and such do not have this limitation as without root access you cannot run anything that is not already allocated inside of the CUCM UI or shell, thereby allowing no customized code to ever run.

Ben Amick
Unified Communications Analyst

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Lelio Fulgenzi
Sent: Wednesday, January 10, 2018 10:42 AM
To: Ryan Ratliff (rratliff) <rratliff at cisco.com>
Cc: voip puck <cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Spectre and Meltdown remediation as relevant to Cisco systems


OK – Just so I’m clear why the baremetal UCOS version isn’t vulnerable…

Is it because this is a “local attack” ? And needs someone to login to the shell?

https://tools.cisco.com/security/center/viewAlert.x?alertId=56354 : CPU hardware contains multiple vulnerabilities that could allow a local attacker to execute arbitrary code with user privileges and gain access to sensitive information on a targeted system.

If we were to assume that no one could log into the Window shell other than administrators, would that also be safe?

Sorry, silly questions, I know.

---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://cp.mcafee.com/d/FZsS86QnQnTPhOYqen6jtPqabbXaoUsyqejqabbXaoVVZASyyO-Y-euvsdEEK6zAQsTLt6VIxGIH5gkjrlS6NJOVICSHIdzrBPqoVxBN_n-LOpEVud7dTbzKLsKCOe7sMqekhPzaavkhjmKCHuXDaxVZicHs3jq9JUTvHEFFICzCWtPhOrKr01dR8J-uIjWSVqR3tFkJkKpH9oKgGT2TQ1iPtyL0QDYu1FJxeX1EVdwLQzh0qmXiFqFsPmiNFtd40MJZFNYQgr10Qg3vDPgGowq88-HW4JDaI3h1J3h17P_cX2pEwDkQg2kGmGq8a5GjZmxIsYrI6jA> | @UofGCCS on Instagram, Twitter and Facebook

[University of Guelph Cornerstone with Improve Life tagline]

From: Ryan Ratliff (rratliff) [mailto:rratliff at cisco.com]
Sent: Wednesday, January 10, 2018 9:11 AM
To: Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>>
Cc: voip puck <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: Re: [cisco-voip] Spectre and Meltdown remediation as relevant to Cisco systems

The only baremetal versions of those products that would require a patch are the ones that ran on Windows. Since we moved to linux root has been locked down and you can’t run custom code on the box, which is a requirement for exploitation of this vulnerability.

-Ryan

On Jan 9, 2018, at 9:58 PM, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:


I'm wondering if products like CUCM v9 and UCCx v9 will be investigated/patched for vulnerabilities? Especially since they're bare metal compatible.

If Linux is affected, then wouldn't these be as well?

We're in the process of migrating but it would be good to know.

Sent from my iPhone

On Jan 9, 2018, at 8:32 PM, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:

To be honest, I'm a little worried about the rumoured slowdown the fixes are gonna have. Will this impact the supported status of certain CPUs in collab suite?

Sent from my iPhone

On Jan 9, 2018, at 9:47 AM, Lelio Fulgenzi <lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>> wrote:
Good question. I’m not sure of the impact either. I _suspect_ that because ESXi abstracts the CPU that the intel CPU bug would affect ESXi only, not the underlying applications. Because you can’t run the software on baremetal any longer, there shouldn’t be a need to update the voice applications.

I’m also guessing that CIMC would likely need some updates too.

But yes, interesting to see how this plays out.


---
Lelio Fulgenzi, B.A. | Senior Analyst
Computing and Communications Services | University of Guelph
Room 037 Animal Science & Nutrition Bldg | 50 Stone Rd E | Guelph, ON | N1G 2W1
519-824-4120 Ext. 56354 | lelio at uoguelph.ca<mailto:lelio at uoguelph.ca>

www.uoguelph.ca/ccs<http://cp.mcafee.com/d/5fHCN0q6hASy-y--qenzhOUOrKrhhpvpj73AjhOrhhpvpj7ffICQkmnTDNPPXxJ55MQsCzCZXETdAdlBoG2yrqKMSdKndASRtxIrsKrj7ccKfW_R-jd7bNEVKVstRXBQShMXC3hOyesphjWyaqRQRrTsVkffGhBrwqrjdL6XZt5ddAQsTjKqejtPo09KF5LPRyvmTbmErJaBGBPdpb5O5mUm-wamrIlU6A_zMddI9Tod79I5-Aq83iTqlblbCqOmdbFEw65LJefCy3o86y0rY-q5j43h17RvgBIVlwq8dEq88-vVDojd44WCy0iBiRjh1gJivGQdzDztj549NxV> | @UofGCCS on Instagram, Twitter and Facebook

<image001.png>

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ben Amick
Sent: Monday, January 8, 2018 4:27 PM
To: voip puck <cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>>
Subject: [cisco-voip] Spectre and Meltdown remediation as relevant to Cisco systems

So I haven’t had much time to look into this, but has anyone else compiled a list of or needs for remediation for cisco systems for the Spectre and Meltdown vulnerabilities?

I know the one only affects Intel and some ARM processors, whereas the other is more OS level, if I understand properly?

So being that all the cisco telephony products are on virtualized product now, I assume that we would go to VMWare for any patching relevant to those, but I would imagine that we would also need a security patch for the redhat/centos OS the Unified Communications products run on (and doubly so for those of us using old MCS physical chassis?)

It looks like routers and switches, as well as ASAs are all potentially vulnerable as well.

I’ve found the following articles on their website: https://tools.cisco.com/security/center/viewAlert.x?alertId=56354 and https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel that details the issues a bit, but it looks like Cisco hasn’t found anything yet nor delivered any patches?

Ben Amick
Unified Communications Analyst


Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip<http://cp.mcafee.com/d/5fHCN8g43qbWbXVEVud7bz9KVJ55BZBcsehd79J55BZBcsY-Orhhpvuv7ffK6Qkn3hOqerTKzsSgRmlyEa9JGX3oSVsSjrlS6NJOVJcsMOU_H_nVcQsL6zCXBNTnKnjp73Kod7a8VNB5fG8FHnjlLtPBgY-F6lK1FJASYrLRQkQSjhPteVEVdTdAVPmEBCbdSaY3ivNU6U9GX33VkDa3JsJaBGBPdpb6XiFqFsPmiNsxlK5LE2BCX5u1FfUY3jr2tS3hOr1vF6y0QJSBiRiVCIBziWq81xrXjzVEwS21Ew6_fCxkN0QghZnQ9relo6y3q6y2fD-pS4Ph1eFEw4FkJkQgkbkDWJ3oVUS9Iw>
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip<http://cp.mcafee.com/d/1jWVIi6x0i6jqbWbXVEVud7bz9KVJ55BZBcsehd79J55BZBcsY-Orhhpvuv7ffK6Qkn3hOqerTKzsSgRmlyEa9JGX3oSVsSjrlS6NJOVJcsMOU_H_nVcQsL6zCXBNTnKnjp73Kod7a8VNB5fG8FHnjlLtPBgY-F6lK1FJwSYrLRQkQSjhPteVEVdTdAVPmEBCbdSaY3ivNU6U9GX33VkDa3JsJaBGBPdpb6XiFqFsPmiNsxlK5LE2BCX5u1FfUY3jr2tS3hOr1vF6y0QJSBiRiVCIBziWq81xrXjzVEwS21Ew6_fCxkN0QghZnQ9relo6y3q6y2fD-pS4Ph1eFEw4FkJkQgkbkDWJ3oVUTCeCd-uK_fVX>
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip<http://cp.mcafee.com/d/2DRPoO76QnQnTPhOYqen6jtPqabbXaoUsyqejqabbXaoVVZASyyO-Y-euvsdEEK6zAQsTLt6VIxGIH5gkjrlS6NJOVICSHIdzrBPqoVxBN_n-LOpEVud7dTbzKLsKCOe7sMqekhPzaavkhjmKCHuXDaxVZicHs3jrVJUTvHEFFICzCWtPhOrKr9PCJhbcmrIlU6A_zMdMjlS67OFek7qVqlblbCqOmdSBiRiVCIByV2Hsbvg5bdSaY3ivNU6CS4XI6zAS2_id41FrJaBGBPdpb6BQQg32TSD7Ph1I43h0d-vd2Fy1EwzWLEiSsGMd46Qd44vfYPI9Cy2tjh09iFqFEwEmFfRq6NPNJge8>



Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180110/ae9301ef/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1297 bytes
Desc: image001.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20180110/ae9301ef/attachment.png>


More information about the cisco-voip mailing list