Cisco Expands Spectre, Meltdown Probe To Nine More Products
Cisco Systems has expanded its investigation into products that may be impacted by the Spectre and Meltdown exploits, adding nine more products to the list that already includes dozens of systems.
In an update to a security advisory, the San Jose, Calif., networking giant said it is investigating several network application, service and acceleration products, as well as network management, routing and server products that weren't covered in an initial advisory earlier this month.
Network application, service and acceleration products included in the updated advisory are Cisco's vBond Orchestrator, vEdge 5000, vEdge Cloud, vManage NMS and vSmart Controller. Also included in the updated advisory are the Cisco Application Policy Infrastructure Controller and Virtual Application Policy Controller, as well as c800 Series Integrated Services Routers and the C880 M4 Server.
[RELATED: The Latest On Spectre And Meltdown]
Cisco's investigation into the Spectre and Meltdown exploits began with dozens of products including its Cisco Cloud Services Platform 2100, ASR, NCS, XRv9000 and Industrial Integrated Service Routers; Nexus series switches including blade and fabric models; as well as UCS B- and C-Series blade and rack servers.
Fixes are pending, according to the advisory, for three B-Series servers and one C-Series UCS server, as well as the C460 M4 rack server.
The company said that because the majority of its products are proprietary closed systems, they are not vulnerable to the Spectre and Meltdown exploits, which affect chips from multiple vendors, including Intel and AMD.
Still, the company said a Cisco product deployed as a virtual machine or container, "even while not being directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. The company said customers should "harden their virtual environment" and "ensure that all security updates are installed," adding that it would release software updates to combat the potential threats.
"This continues to be an ongoing investigation, so we are advising customers to please be aware that products and services currently considered not under investigation or vulnerable may subsequently be added to the advisory as additional information becomes available," a Cisco spokesman said in a statement.
"Cisco puts the security of our customers first," the statement read. "When we have a vulnerability in our products, we issue a security advisory to make sure our customers know what it is and how to address it. Cisco immediately launched an investigation into the recently published security research that details an industry-wide issue affecting speculative execution in modern CPU architectures. Cisco PSIRT [Product Security Incident Response Team] has issued a security advisory to help customers understand which Cisco products may be affected and assess the potential implications for their networks. Fixes will be published for affected products as they become available, and potential workarounds will be documented where available. "
Richard Bayes, senior director of global operations and engineering at Liberty Technology, a Griffin, Ga.-based solution provider that works with Cisco, called the Spectre and Meltdown vulnerabilities "a big catastrophe" with the potential to hurt customer relationships if patches significantly impact performance.
"A lot of the Cisco apps we run are on a VMware hypervisor, so we have to make sure everything is getting patched properly," Liberty Technology's Bayes said. "We have to make sure the performance is there and delivered to the customer. A performance hit could hurt our relationship with the customer, and we want to make sure that's not the case. A lot of customers who have on-premises infrastructure don't update very frequently. There's a lot of old technology out there and then it gets harder. We're trying to be vigilant to make sure [customers] do everything necessary and make sure certain devices are not reachable."
Bayes said Cisco has told Liberty Technology that patches will come from Cisco Support, meaning partners won't have to shoulder the cost. "We're still waiting to hear when the patch is going to be here, and is it going to be done automatically."
The Spectre and Meltdown exploits – comprised of three side-channel analysis vulnerabilities – have riled the IT industry because if exploited they could be used to expose sensitive data on most modern processors in mobile devices, desktops, laptops and servers running in cloud environments.
Intel Wednesday said patches issued recently to combat the Spectre and Meltdown exploits were causing reboot problems for newer Kaby Lake and Skylake chips, as well as older chips like its Broadwell and Haswell CPUs.