In addition to my shortcut blog post about Meltdown and Spectre with regard of Microsoft Windows, VMware ESXi and vCenter, and HPE ProLiant, I would like to add some additional information about HPE Storage and Citrix NetScaler.
When we talk about Meltdown and Spectre, we are talking about three different vulnerabilities:
- CVE-2017-5715 (branch target injection)
- CVE-2017-5753 (bounds check bypass)
- CVE-2017-5754 (rogue data cache load)
CVE-2017-5715 and CVE-2017-5753 are known as “Spectre”, CVE-2017-5754 is known as “Meltdown”. If you want to read more about these vulnerabilities, please visit meltdownattack.com.
Due to the fact that different CPU platforms are affected, one might can guess that also other devices, like storage systems or load balancers, are affected. Because of my focus, this blog post will focus on HPE Storage and Citrix NetScaler.
HPE has published a searchable and continously updated list with products, that might be affected (Side Channel Analysis Method allows information disclosure in Microprocessors). Interesting is, that a product can be affected, but not vulnerable.
|Nimble Storage||Yes||Fix under investigation|
|StoreOnce||YES||Not vulnerable – Product doesn’t allow arbitrary code execution.|
|3PAR StoreServ||YES||Not vulnerable – Product doesn’t allow arbitrary code execution.|
|3PAR Service Processor||YES||Not vulnerable – Product doesn’t allow arbitrary code execution.|
|3PAR File Controller||YES||Vulnerable- further information forthcoming.|
|MSA||YES||Not vulnerable – Product doesn’t allow arbitrary code execution.|
|StoreVirtual||YES||Not vulnerable – Product doesn’t allow arbitrary code execution.|
|StoreVirtual File Controller||YES||Vulnerable- further information forthcoming.|
The File Controller are vulnerable, because they are based on Windows Server.
So if you are running 3PAR StoreServ, MSA, StoreOnce or StoreVirtual: Relax! If you are running Nimble Storage, wait for a fix.
Citrix has also published an article with information about their products (Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754).
The article is a bit spongy in its statements:
Citrix NetScaler (MPX/VPX): Citrix believes that currently supported versions of Citrix NetScaler MPX and VPX are not impacted by the presently known variants of these issues.
Citrix believes… So nothing to do yet, if you are running MPX or VPX appliances. But future updates might come.
The case is a bit different, when it comes to the NetScaler SDX appliances.
Citrix NetScaler SDX: Citrix believes that currently supported versions of Citrix NetScaler SDX are not at risk from malicious network traffic. However, in light of these issues, Citrix strongly recommends that customers only deploy NetScaler instances on Citrix NetScaler SDX where the NetScaler admins are trusted.
No fix so far, only a recommendation to check your processes and admins.
Feel free to follow him on Twitter and/ or leave a comment.