Meltdown and Spectre: Is Data Loss Prevention Affected?

book

Article ID: 170767

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Meltdown and Spectre are a class of information disclosure vulnerabilities exploiting well-known microprocessor performance maximizing design choices – out-of-order execution, branch prediction and speculative execution, and leak data via side-channel attacks. These affect all modern Intel processors, and (in the case of Spectre) many AMD and some ARM cores. Because the vulnerabilities are in the hardware (microprocessor), all software applications, including the operating system, are equally affected. Variants of Meltdown and Spectre exploits have been assigned CVE-2017-5753 (bounds check bypass), CVE-2017-5715 (branch target injection), and CVE-2017-5754 (rogue data cache load). CERT Vulnerability Note VU#584653.

Meltdown can be mitigated by applying software patches for the kernel available from operating system vendors. Spectre can be mitigated by applying software patches for operating systems as well as popular browsers available from respective vendors.

Further details on Meltdown and Spectre are available here.

Resolution

Meltdown, Spectre and Symantec Data Loss Prevention

Operating system patches are available from vendors to mitigate these hardware issues. Since exploitation requires access to the hosts, and in some cases physical access, the overall risk to Data Loss Prevention is low. Symantec has performed extensive testing of DLP server and endpoint systems with the current system updates from Microsoft, Apple, and Red Hat. In all cases, no issues were uncovered.* DLP on-premise customers should therefore apply the operating system patches to mitigate any adverse impact of these vulnerabilities. If immediate patching is not possible, customers must restrict access of DLP systems (servers and endpoint agent hosts) to authorized personnel only. Additionally, customers should refrain from installing software of unknown origin on these systems.

Per operating system vendors, a primary side-effect of the vulnerability patches is an anticipated performance penalty, between 5 and 30%, for all software applications. DLP performance tests however do not indicate a noticeable performance degradation between unpatched and patched systems. Customers experiencing an unacceptable performance degradation as a result of these patches are requested to contact Symantec Support via regular channels.

Symantec DLP Cloud Service for Email and Symantec DLP Cloud Detection Service run on Amazon Web Services (AWS) and Amazon has patched their cloud infrastructure to mitigate this risk. Details on AWS response can be found here.

*Apple recently released Security Update 2018-001 for macOS. The update causes DLP Agent versions 14.6 MP2 or 15.0 running on macOS 10.11.6, 10.12.6, or 10.13.2 to experience a system-wide crash (kernel panic). Refer to ALERT2538 for additional information.