CWP Agent platform support for Meltdown and Spectre (CVE-2017-5753)

book

Article ID: 170747

calendar_today

Updated On:

Products

Cloud Workload Protection

Issue/Introduction

This document provides information about the compatibility of CWP agents for Spectre vulnerability (CVE-2017-5753). This document also provides information around the ongoing investigation around support for additional platform and kernel versions and any new exploits using aforementioned vulnerability.

Resolution

Vendors are releasing patches to mitigate the Intel Vulnerabilities. Symantec is testing Cloud workload Protection (CWP) with these patches as they are released and updated. As usual with Windows patches, no changes to the CWP agent are required. As an extra precaution, we tested the released patches for Windows 2016, 2012 R2 and 2008 R2 and they have been fully certified.

For Linux platforms we are testing patches as they are released and no issues/updates are required other than AWS Linux. Following table provides details on the patches that are testing until now.

OS

Version

Kernel

RHEL 6.9 Enterprise Linux kernel-2.6.32-696.18.7.el6.x86_64

RHEL 7.4

Enterprise Linux

3.10.0-693.11.6.el7.x86_64

CentOS 7.4

7.4

3.10.0-693.11.6.el7.x86_64

Windows 2k8 R2

Enterprise

SP1

Windows 2k12 R2 Standard  

Windows 2k16

Standard

 

Amazon Linux

2017.09 (ami-a142e9d9)

4.9.75-25.55.amzn1.x86_64

Recommended CWP Policy changes

Customers are advised to make these policy configurations to harden their system against such attacks.

  1. Add Unix and Windows OS policies in the policy groups.
  2. Enable “Disable software install” under “Default sandbox additional settings“ section of the Unix/Windows Default policy
  3. Enable following options under “Default Sandbox Process Execution Rules” section of the Unix/Windows Default policy
    1. Allow execution of Processes
    2. Processes application may execute
    3. Processes application may execute if using specific arguments
    4. Block execution of Processes with non-executable extension (windows only)

 

Screenshots

 

1.

Unix OS Policies Windows OS Policies

 

2. 

Unix Default Sandbox Additional Settings
 
Windows Default Sandbox Additional Settings


3. 

Unix Sandbox Process Execution Rules
 
Windows Sandbox Process Execution Rules

 

Last Updated January 9th, 2018

This page will be updated as new platforms/versions get added

Attachments