Critical vulnerabilities within several CPUs have been identified by security researchers. These hardware vulnerabilities allow programs to learn about the contents of a system's memory, using side-channel attacks. Potential attack vectors against these vulnerabilities have been published and dubbed Meltdown and Spectre. While programs are typically not permitted to read data from the OS kernel or from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in kernel memory or the memory of other programs executed on the same CPU. As a consequence, an exploit could allow attackers to get access to any sensitive data, including passwords or cryptographic keys.

A remote code execution vulnerability in the Microsoft's Credential Security Support Provider protocol (CredSSP) was identified by security researchers. If exploited successfully, it is possible to relay user credentials for arbitrary code execution on the target system.

See details on Microsoft Advisory CVE-2018-0866 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886)

An attacker may exploit a “long cookie” related vulnerability to cause a buffer overflow that allows unauthorized access to the switches operating system files. The attacker can then insert executable code into the OS.

An attacker may insert a carefully crafted cookie into a GET menu_pxc.cgi or GET index.cgi request to cause a buffer overflow that can initiate a Denial of Service attack and execute arbitrary code.

Web interface CGI applications may copy the contents of the running configuration file to a commonly accessed file. Clever manipulation of a web login request can expose the contents of this file through to the web browser. A successful web interface login attempt is not required to read the configuration file contents.

An attacker with permission to transfer configuration files to/from the switch or permission to upgrade firmware, is able to execute arbitrary OS shell commands. CGI applications config_transfer.cgi and software_update.cgi are prone to OS command injection through targeted manipulation of their web-request headers.

Several CPUs manufactured by Intel, AMD or based on ARM technology may leak information due to their internal operation if attacked by specifically written software executed on the affected systems.

The information in this advisory is based on the statements of respective manufacturers.

Critical vulnerabilities within several CPUs have been identified by security researchers. These hardware vulnerabilities allow programs to learn about the contents of a system's memory, using side-channel attacks. Potential attack vectors against these vulnerabilities have been published and dubbed Meltdown and Spectre. While programs are typically not permitted to read data from the OS kernel or from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in kernel memory or the memory of other programs executed on the same CPU. As a consequence, an exploit could allow attackers to get access to any sensitive data, including passwords or cryptographic keys.