Meltdown and Spectre: Mellanox Products Vulnerability Update
Many microprocessor implementations are known to be susceptible to the Meltdown and Spectre vulnerabilities. These vulnerabilities have been
ublicly identified as allowing an unprivileged attacker to bypass memory security restrictions and gain read access to privileged memory.
For example, these vulnerabilities could allow an unprivileged local attacker to read privileged memory belonging to other processes or memory allocated to the kernel.
The relevant Common Vulnerabilities and Exposure (CVE) items associated with Meltdown and Spectre are recorded under CVE-2017-5754, CVE-2017-5715 and CVE-2017-5753. Full concise details, including links to the patches issued by OS vendors, are located under https://meltdownattack.com/ (site hosted by Graz University of Technology) or under the Vulnerability Note VU#584653 (site hosted by CERT). Mellanox is diligently reviewing any potential security impact of Spectre and Meltdown on all of its relevant products. The below delivers an update on Mellanox’s actions and status regarding these security breaches. Mellanox testing is still on going, and timely updates will continue to be released. Impact of the Vulnerabilities on Mellanox Network Adapters: As of this date, Mellanox has found no evidence that its network adapters are vulnerable to the Spectre and Meltdown CVEs. In addition:
Impact of the Vulnerabilities on Mellanox Switches (InfiniBand and Ethernet): As of this date, Mellanox has found no evidence that its switch ICs are vulnerable to the Spectre and Meltdown CVEs. Regarding Mellanox switch systems:
Impact of the Vulnerabilities on Mellanox BlueField Systems: BlueField includes a multicore Arm A72-based subsystem. Arm has publicly declared Arm cores with Cortex-A72 as not susceptible to Meltdown CVE (CVE-2017-5754), but as potentially affected by Spectre CVE variants (CVE-2017-5753 and CVE-2017-5715). BlueField SmartNIC is not susceptible to the Spectre vulnerabilities, as unauthorized software/users don’t have access to the Arm cores inside BlueField; other BlueField based platforms are potentially susceptible to Spectre vulnerabilities if untrusted code is allowed to run on the device. Mellanox is carefully investigating the released OS patches, and will release software updates in next GA release. Impact of the Vulnerabilities on Mellanox Management Software: Mellanox NEO and UFM management software are not susceptible to Spectre or Meltdown vulnerabilities. In general, UFM-SDN Appliance is a closed system and as such should not be susceptible to these vulnerabilities. Mellanox is working to confirm this and will release updates if / when relevant.
Microprocessor implementations are known to be susceptible to the Meltdown and Spectre vulnerabilities.
These vulnerabilities have been publicly identified as allowing an unprivileged attacker to bypass memory
security restrictions and gain read access to privileged memory. In other words, and under specific circumstances,
these vulnerabilities can allow an unprivileged local attacker to read privileged memory belonging to other processes
or memory allocated to the kernel.
The relevant Common Vulnerabilities and Exposure (CVE) items associated with Meltdown and Spectre are recorded under CVE-2017-5754, CVE-2017-5715 and CVE-2017-5753. Full concise details, including links to the patches issued by OS vendors, are located under https://meltdownattack.com/ (site hosted by Graz University of Technology) or under the Vulnerability Note VU#584653 (site hosted by the CERT). Mellanox is diligently reviewing any potential security impact of Spectre and Meltdown on all of its relevant products. This activity includes, but is not restricted to, reviewing all of the released patches issued by OS vendors and testing them to evaluate potential impact. Initial testing of the released patches has so far shown no functional impact on Mellanox network adapters, and while performance impact is still being evaluated, there seems to be no effect on RDMA application performance. This is an additional proof that our core technology doesn’t only provide better performance, but is also more secure. Further testing is under way. In addition to analysis performed on network adapters, Mellanox is reviewing potential susceptibility to the Meltdown and Spectre vulnerabilities on switch systems, network processors (NPUs), software products, and SoC-based products. |
©2018 Mellanox Technologies. All Rights Reserved - Legal/Privacy Policy