Here's How Five Top Networking Vendors Are Responding To Spectre, Meltdown Exploits
Cisco, Huawei, HPE Aruba, Arista Networks and Juniper Networks have all responded to the Spectre and Meltdown exploits by issuing security advisories that demonstrate a range of possible impacts and preventative actions.
Ghost In The Machine
The key players in the networking industry are girding themselves against the potential for the Spectre and Meltdown exploits to impact their products, and taking pains to make sure customers and partners know where vulnerabilities may lie.
The industry's top five networking companies: Cisco Systems, Huawei, HPE Aruba, Arista Networks and Juniper Networks by Saturday had all issued security advisories that demonstrated a range of possible impacts and preventative actions.
For example, Cisco said that its largely proprietary routers, switches and servers are very unlikely to be impacted by the chip bugs and said customers don't have to take any action, while Juniper Networks said three of its products could be vulnerable and patches would be made available soon. Most of the top networking vendors seem to agree that their products are vulnerable only when they're part of virtualized environments where chips are being attacked.
The Spectre and Meltdown exploits affect chips from multiple vendors, including market leader Intel. The vulnerabilities, if exploited, could be used to expose sensitive data on most modern processors, including mobile devices, desktops, laptops and servers running in cloud environments.
The global networking leader commands a 55 percent share of the market, according to the latest data from research firm IDC, and the company said in a security advisory that the majority of its products are closed systems and therefore not vulnerable to Spectre or Meltdown flaws. Still, the company isn't leaving anything to chance, and is investigating its Cisco Cloud Services Platform 2100; ASR, NCS, XRv9000 and Industrial Integrated routers; Nexus series switches including blade and fabric models; as well as UCS B- and C-series blade and rack servers. The company advised that customers "harden their virtual environment," and "ensure that all security updates are installed."
Shenzhen, China-based Huawei has been making significant inroads in the IT hardware market in recent years, and its router and switching business claimed the No. 2 market share in IDC's most recent quarterly data. However, the company hasn't issued an advisory related to the impacts the Spectre and Meltdown exploits may have on its networking products. The company did issue an advisory Saturday related to 10 of its server models. The company said it has issued software updates to fix potential vulnerabilities in its Version 3 of its CH-series servers, as well as Version 5 of its 1288 and 2288 servers.
HPE Aruba said its products are based on several chip architectures, and some of those chips are known to potentially carry the Spectre or Meltdown exploits. Still, the company said the likelihood of those vulnerabilities being used to compromise HPE Aruba products is so remote that customers are being advised to take no action. The company said it may issue software patches and updates in the future. "No Aruba product allows the execution of arbitrary code by an unauthorized user," the company said in an advisory. However, that reassurance came with several caveats: HPE Aruba's ClearPass Policy Manager, AirWave, Mobility Master, Virtual Mobility Controller and IntroSpect Packet Processors are available as virtual appliances that run as a guest under a hypervisor. If the hypervisor is vulnerable and untrusted users have access to other systems on the same hypervisor, an attacker could read memory from an HPE Aruba appliance. The company warned of similar potential risks in its Activate and Meridian cloud products.
Arista Networks said the Spectre and Meltdown exploits could be exposed in its vEOS virtual routers and cEOS switch platform for containers, but only if vulnerabilities are exploited in underlying hypervisors, kernels or processors. "Any fix or patch to address this issue will only be applicable" to those systems, and not Arista product lines, the company said in an advisory. Arista has posted significant growth in recent quarters, registering a 5.1 percent share of the Ethernet switching market in IDC's most recent data, and a nearly 28 percent market share in the 100Gb segment.
Juniper Networks noted that the Spectre and Meltdown vulnerabilities affect Intel processors used in various Juniper products, including Junos OS, Junos Space Appliance, NSMXpress 3000 and 4000 appliance and its CTP appliance. The company said in order to exploit the vulnerabilit, an attacker would have to gain local authenticated privileged admin access and bypass Juniper security assessments. The company said in an advisory that customers should limit access to critical infrastructure networking equipment only to trusted admins. The company said it would provide patches as soon as they're available from operating systems vendors.