Cisco to release patches for Meltdown, Spectre CPU vulns, just in case
Switchzilla is investigating a whole bunch of products
Posted in Security, 5th January 2018 11:10 GMT
Cisco is the latest company to prepare patches to tackle the serious security vulnerabilities affecting the majority of CPUs, Meltdown and Spectre.
Cybersecurity group CERT has warned companies that the only way to protect themselves from the flaw was to rip out and replace their processors. It has since backtracked on that advice, saying patches or repairs should do the job instead.
Outfits to have released patches so far include Amazon, Microsoft, Linux and Apple.
In a statement, Cisco noted that in order to exploit any of these vulnerabilities, an attacker must be able to run crafted code on an affected device. "The majority of Cisco products are closed systems, which do not allow customers to run custom code on the device," it said.
Meltdown, Spectre: The password theft bugs at the heart of Intel CPUsREAD MORE
However, it added that the underlying CPU and OS combination in some products could leave them vulnerable.
"Only Cisco devices that are found to allow the customer to execute their customized code side-by-side with the Cisco code on the same microprocessor are considered vulnerable.
"A Cisco product that may be deployed as a virtual machine or a container, even while not being directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable.
"Cisco recommends customers harden their virtual environment and to ensure that all security updates are installed."
As such, Switchzilla said it will release software updates that address this vulnerability.
The business is investigating a network application, service and acceleration product; a series of routers and switches; and a number of unified computing servers, although it said no Cisco product is known to be vulnerable. ®