Imperva Security Response to “Meltdown” and “Spectre” Exploits (Side-Channel Attacks to CPU privileged memory)

Revision History
Date Revision
1/6/2018 Initial version
1/8/2018 Update to provide impact on SecureSphere Database Activity Monitoring (DAM) and Database Firewall (DBF) agents when OS patches are applied to database servers

Background
On January 3, 2018 researchers from Google publicly disclosed three potential attacks against the privileged memory in modern CPU architectures. These vulnerabilities take advantage of CPU data cache timing that can be abused to efficiently leak information. The result of this attack is that, in a worst case scenario, arbitrary virtual memory reads can occur across local security boundaries inside the memory cache of the CPU.

More information about the vulnerabilities:

This advisory applies to the following CVEs: CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754

Impact Upon Imperva Products and Service Offerings

Imperva appliances
The reported vulnerabilities and exploits pose no additional risk to properly deployed and configured Imperva appliances. All commercially available Imperva appliances use chipsets susceptible to the issues disclosed in this research. However, successful exploitation of these vulnerabilities requires local access and the ability to install software. For Imperva SecureSphere and Imperva CounterBreach this requires root access. Users with root access already have access to any information that can be gleaned from these vulnerabilities. In summary, this exploit provides access only to information already available with the administrative rights needed to exploit these vulnerabilities.

Imperva SecureSphere Database Security Agents
Imperva is closely monitoring and testing the patches that OS vendors are releasing to address these vulnerabilities. At present, these patches may disable SecureSphere Database Activity Monitoring (DAM) and Database Firewall (DBF) agents. Ongoing updates and timelines regarding agent impact will be tracked via this Knowledgebase article (customer login required).

To ensure agents continue to properly function, we recommend customers do not upgrade OS versions for database servers unless the Knowledgebase article indicates the specific OS upgrade does not impact the agent. We will notify all customers when Imperva database agent patches that are required ahead of OS patches are posted to our FTP site.

Imperva Incapsula
The Imperva network that supports the Incapsula service is not impacted by the vulnerability. Incapsula CDN’s infrastructure is inaccessible to anyone outside of Imperva, and as such does not run malicious code to exploit the vulnerabilities. The Incapsula management console runs on infrastructure supported by Amazon Web Services and is covered by Amazon Web Services security bulletin AWS-2018-013. Amazon has advised clients that all instances across the Amazon EC2 fleet are protected against these vulnerabilities.

Protecting Applications
Any exploitation by first using a Remote Code Execution (RCE) attack as a vector to abusing the vulnerabilities is currently unknown, but should be blocked both by Incapsula and SecureSphere as part of our RCE protection.

Any exploitation by running Cross-Site Scripting (XSS) is yet unknown. However, our research teams continue to actively monitor the situation regarding these vulnerabilities. If further action can be taken to protect against this type of exploit, we will update this advisory.